using the cisco wireless controller (cisco wlc) web user ...the summary page provides a top level...

C H A P T E R 1
Using the Cisco Wireless Controller (Cisco WLC) Web User Interface
OverviewThe Web User Interface is built into each Cisco WLC. The Web User Interface enables up to five users simultaneously to browse the built-in controller HTTP or HTTPS (HTTP + SSL) Web server, configure parameters, and monitor operational status for the Cisco WLC and its associated access points.

Because the Web User Interface works with one Cisco WLC at a time, the Web User Interface is useful when you want to configure or monitor a single Cisco WLC and its associated access points.

The Web User Interface has two views:

• Main Dashboard View, page 1-1

• Advanced View, page 1-2

Main Dashboard ViewIntroduced in Release 8.1, the Main Dashboard, which is displayed when you log on to the Cisco WLC, contains the following:

• AP or Client search bar—Search for an AP or a client by typing its name.

• Advanced—To go to the Advanced view, that is the classic Web UI mode. In the Advanced View, click Home to return to the Main Dashboard view.

• Dashboard Settings—Use this to set the landing page, view system information, or log out of Cisco WLC Web UI.

• A pane on the left hand side with Monitoring menus using which you can monitor the access points and clients and their performance details. The Monitoring pane also contains a link to the Best Practices page.

• A set of widgets displaying information about wireless networks, access points, active clients, rogues, and interferers. Another set of widgets display status of access points, clients, and information about operating systems and applications. Click the + icon to add a widget.

1-1Cisco Wireless Controller Online Help

Chapter 1 Using the Cisco Wireless Controller (Cisco WLC) Web User Interface Advanced View

Monitoring PaneThe Monitoring pane has the following menus:

• AP Performance—Has four widgets that show the following:

– Coverage—Shows bottom 10 APs based on coverage hole detection (CHD)

– Client Load—Shows top 10 APs based on client count. It also shows AP throughput

– Interference—Shows top 10 APs based on noise

– Channel Utilization—Shows top 10 APs by interference, data traffic, and available capacity

• Client Performance—Has four widgets that show the following:

– Clients by signal strength

– Client by signal quality

– Client by connection speed

– Client by connectivity state

• Access Points—Has a table view of all the APs in the network. You can add or remove columns and sort by columns. Click on any AP to verify the AP details.

• Clients—Has a table view of all the clients in the network. You can add or remove columns and sort by columns. Click on any client to verify the client details.

Best Practices

The Best Practices page offers current compliance assessment and available categories of best practices. The Best Practices are enabled by default if you have used the Cisco WLAN Express Setup to configure the WLC.

Note The Best Practices are not enabled through CLI setup wizard or image upgrades.

The Best Practices categories include:

– Infrastructure

– Security

– RF Management

Click the + icon to select a recommended Best Practice parameter, read an expert recommendation, and click Fix it Now or later reverse the Best Practice configuration option by clicking Restore Default.

Click Learn More to go to the relevant section in the Cisco Wireless Controller Best Practices document.

Advanced ViewThe Advanced View shows the Cisco WLC in the classic Web UI mode and contains the following:

• Menu Bar

• Left Navigation Pane

• Main Data Page



• Toolbar

• Buttons

Menu Bar

The Menu Bar contains the following tabs:

• Monitor Tab

• WLANs Tab

• Controller Tab

• Wireless Tab

• Security Tab

• Management Tab

• Commands Tab

• Help—Launches this online help document that gives descriptions of the Web UI elements.

• Feedback Tab—Option to provide your feedback on the Cisco WLC.

Left Navigation Pane

The left navigation pane enables you to select a new configuration panel under the menu area that you have selected. You may select a single configuration panel from several available choices for data to be displayed or configured. The left navigation pane options vary based on the menu that you select.

Main Data Page

The main data page depends on what information the menu requires. Input fields are of two basic types:

• Text boxes into which you may enter data using the keyboard

• Drop-down lists from which you can choose from several available options

To perform an action, you may need to enter or select data on the page. To save your changes in the Cisco WLC, click the Apply button available on the right-hand side, top corner of the page.

Note Microsoft Internet Explorer generates a submit action on the next available button when you press the enter key while you are in an input field. On most menus, this action triggers the apply function.

Toolbar

This area provides shortcuts to the following administrative functions used on a regular basis when configuring a controller through the Web User Interface.

• Save Configuration—Saves data to the Cisco WLC in nonvolatile RAM (NVRAM) and is preserved in the event of a power cycle. If you reboot the Cisco WLC, all applied changes are lost unless the configuration has been saved. Click Save to save the current configuration.

• Ping—Sends a ping to a network element.



This alert box enables you to tell the Cisco WLC to send a ping request to a specified IP address to help determine if there is connectivity between the Cisco WLC and a particular IP station. Once you click the Submit button, three pings are sent and the results of the pings are displayed in the alert box. If a reply to the ping is not received, it displays “No Reply Received from IP xxx.xxx.xxx.xxx”; otherwise, it displays “Reply received from IP xxx.xxx.xxx.xxx: (send count = 3, receive count = n).”

• Logout—Exits the current Web User Interface session.

• Refresh—Updates the data on the current page from the Cisco WLC.

• Home—Opens the Main Dashboard.

Buttons

At the right side of the main data page, you can click command buttons to apply or refresh the data that is displayed on the main data page.

Buttons take immediate effect when you select them and information goes to the controller about the state of the menu at that time. The most commonly used buttons are as follows:

• Apply—Sends data to the Cisco WLC but data is not preserved across a power cycle; these parameters are stored temporarily in volatile RAM.

• Back—Takes you back to the previously viewed page.

There are additional buttons that perform other actions; not all main data pages have all buttons. The functionality of these buttons is described in the respective help topics.

Navigating Pages with Many APs

If your Cisco WLC is associated with many access points and if they cannot be displayed in a single page, you can use one of the following options to navigate the pages that list the access points by clicking the buttons on the top right-hand corner of the page.

• Click the individual page number to go to a specific page.

• Click the forward and backward buttons at the extreme end of the page to go to the first or last pages.

• Click the forward or backward buttons to skip to the next five pages.

Applying Parameters

After you save the new parameters or settings that you entered, the page is refreshed. However, in some cases, the settings may appear different than the ones that you specified because the affected code takes some time to execute. You should refresh the menu or the page to see the expected results.

Note When applying parameters on a page, some parameters may need to have the network to be down so that they can be applied. When configuring such parameters using the GUI, if the network is up and running, you may see an error message indicating that the network is operational.

Refreshing the Page

Using the refresh function from the Web User Interface refreshes all pages and displays the default initial window in the main data page.



If you want to refresh a page in the main data area, and there is no refresh button present, use your mouse to right-click the main data area page, and select the refresh option.


C H A P T E R 2
Monitor Tab
The Monitor tab on the menu bar enables you to access the controller and access points’ summary details. Use the left navigation pane to access the respective network details.

You can view information about the following from the Monitor tab:

• Summary

• Access Points

• Cisco CleanAir

• Statistics

• Cisco Discovery Protocol

• Rogues

• Redundancy

• Clients

• Sleeping Clients

• Multicast Groups

• Applications

• Lync

• Local Profiling

SummaryChoose MONITOR > Summary to navigate to the Summary page.

The summary page provides a top level description of your controller, access points, clients, WLANs, and rogues. Rogues are unauthorized devices (access points, clients) that are connected to your network.

The controller image is displayed at the top of the summary page and gives information about the controller model number and the number of access points supported by the controller.

Note All parameters on this page are read-only parameters.

This page is automatically refreshed every 30 seconds.

This table describes the monitor summary parameters.


Chapter 2 Monitor Tab Summary

Table 2-1 Summary Parameters

Parameters Description

Controller Summary

Management IP Address Management IPv4/IPv6 address of the controller. From Release 8.0, IPv6 is also supported for configuring Management interface.

Service Port IP Address IPv4/IPv6 address of the controller front-panel service port. From Release 8.0, IPv6 is also supported for configuring Service interface.

Software Version Version of the Operating System running on the controller.

Field Recovery Image Version Version of the boot software ER.aes file.

Note If a boot software ER.aes file is not installed, the Field Recovery Image Version field shows an error.

System Name Controller name specified by the operator.

Up Time Time elapsed since the controller was last rebooted.

System Time Current time set on the controller.

Redundancy Mode Redundancy mode operational on the device. The redundancy modes are as follows:

• 0—No redundancy

• SSO—Hot Standby Mode

• RPR—Cold Standby Mode

Internal Temperature The internal temperature of the controller.

802.11a/n Network State Network that is enabled or disabled.

802.11b/g/n Network State Network that is enabled or disabled.

Local Mobility Group Name of the default mobility group.

CPU Usage Percentage of the CPU in use.

Individual CPU Usage (5500 series controller only)

Percentage of the CPU in use and the percentage of the CPU time spent at the interrupt level. This field appears only for the Cisco 5500 Series Controller.

Memory Usage Percentage of memory in use.

Access Point Summary

802.11a/n/ac Radios Number of 802.11a/n Cisco Radios. Click Detail for additional information about 802.11a/n/ac Radios.

802.11b/g/n Radios Number of 802.11b/g/n Cisco Radios. Click Detail for additional information about 802.11b/g/n Radios.

Dual-Band Radios Number of 802.11a/b/g/n Cisco Radios. Click Detail for additional information about Dual-Band Radios.

All APs Number of access points associated with this controller. Click Detail for additional information about All APs.

Client Summary

Current Clients Number of clients currently associated with the controller. Click Detail for additional information about current Clients.


Chapter 2 Monitor Tab Access Points

Access PointsChoose MONITOR > Access Points to navigate to the Access Points page. From here you can choose the following:

• MONITOR > Access Points > Radios > 802.11a/n/ac to view the Cisco radio profile for your 802.11a/n/ac RF network.

• MONITOR > Access Points > Radios > 802.11b/g/n to view the Cisco radio profile for your 802.11b/g/n RF network.

• MONITOR > Access Points > Radios > Dual-Band Radios to view the Cisco radio profile for your 802.11a/b/g/n RF network.

For more details, see 802.11a/n/ac Radios, 802.11b/g/n Radios, and Dual-Band Radios.

Excluded Clients Number of excluded client computers by MAC address that you can enable or disable. Click Detail for additional information about excluded clients.

Disabled Clients Number of clients that are currently disabled. Click Detail for additional information about disabled clients.

Rogue Summary

Active Rogue APs Number of unauthorized access points detected by the controller. Click Detail for additional information about active Unclassified Rogue APs.

Active Rogue Clients Number of active clients associated with a rogue access point. Click Detail for additional information about Rogue Client Details.

Adhoc Rogues Number of ad-hoc rogues. Click Detail for additional information about Adhoc Rogues.

Rogues on Wired Network Number of rogues on a wired network. Click Detail for additional information.

Top WLANs

Profile Name Name of the WLAN as specified by the operator.

# of Clients by SSID Number of clients associated with the WLAN based on SSID.

Most Recent Traps Log of most recent SNMP traps. Click View All to view all SNMP Trap Logs.

Top Applications

Application Name Top 10 applications detected by the Cisco WLC in the last three minutes that appear according to their total byte count. These applications include both upstream and downstream applications.

Packet Count Packet count of the application.

Byte Count Byte count of the application.





802.11a/n/ac RadiosChoose MONITOR > Access Points > Radios > 802.11a/n/ac to navigate to the 802.11a/n/ac Radios page.

The 802.11a/n/ac Radios page displays the Cisco Radio profile for your 802.11a/n/ac RF network. The page also displays the status of each 802.11a/n/ac Cisco Radio that is configured on the controller and its profile.

AP List Filter

Click Change Filter to display the Search APs dialog box (see the figure below) and to create or change filter parameters. Click Clear Filter to remove the filter and display the entire access point list.

You can create a filter to display the list of access points by MAC address or AP name.

The following filter parameters are displayed in the Current Filter field.

• MAC Address—MAC address.

• AP Name—Access point name.

• CleanAir Oper Status—Operational status of the CleanAir-capable access point. Choose from the following available statuses:

– UP

– DOWN

– ERROR

– N/A

Note When you enable filtering by the MAC address, the other filters are disabled automatically. However, you can use a combination of the AP Name and CleanAir Oper Status to filter access points.

Click Find to commit your changes. Only the access points that match your search criteria appear on the 802.11a/n/ac Radios page. The Current Filter parameter at the top of the page specifies the filter used to generate the list (for example, MAC address:00:1e:f7:75:0a:a0 or AP Name:pmsk-ap).

Note If you want to remove the filter and display the entire access point list, click Clear Filter.

802.11a/n/ac and 802.11b/g/n Radio Profile

To access the details for each Cisco Radio, click the Detail link (see Radio Statistics for more information).

To access the details of air quality, click the blue arrow adjacent the desired radio and click CleanAir (see Cisco CleanAir for more information).

Note Only Cisco Aironet 3500 and 3600 series access point radios can be configured for Cisco CleanAir.

This table describes the 802.11a/n /ac radio parameters.



Radio StatisticsChoose MONITOR > Access Points > Radios > 802.11a/n/ac or 802.11b/g/n, click the blue arrow adjacent the desired access point and choose Detail to navigate to the Radio Statistics page.

Note Rx Neighbors, Radar Information, and Band Select Statistics are not displayed for outdoor mesh access points.

This page displays the RF (Radio Frequency) statistics for the selected Cisco Radio. You can alternate between the Graphics View and the Text View by clicking the Graphics View/Text View button. You can view and refresh the following statistics by selecting them (using the check boxes) and then clicking the Refresh button on the data page:

• Profile Information

• Rx Neighbors

• 802.11 MAC Counters

• Radar Information

• Band Select Statistics

This page also displays the following access point variables:

• AP Name

• Base Radio MAC Address

Table 2-2 802.11a/n /ac Radio Parameters


AP Name Name assigned to the access point.

Radio Slot # Slot where the radio is installed.

Base Radio MAC MAC address of the access point.

Sub Band Radio sub band, if it is active: 4.9 GHz or 5.8 GHz.

Operational Status Operational status of the Cisco Radios: UP or DOWN.

Radio Role Radio role: UPLINK or DOWNLINK.

Load Profile Radio Resource Management (RRM) profile for the Cisco Radio. The profile status is displayed as a pass or fail with details provided on the Radio Statistics page.

Note For Cisco OEAP 600 Series access points, the following parameters show the value as N/A:

– Load Profile

– Noise Profile

– Interference Profile

– Coverage Profile

Noise Profile

Interference Profile

Coverage Profile

CleanAir Admin Status CleanAir admin status.

CleanAir Oper Status Spectrum sensor status for this access point.



• AP IP Address (IPv4/IPv6)

• Radio Type (802.11a/n/ac or 802.11b/g/n)

• Operational Status

• Monitor Only Mode Status

• Channel Number

• Slot #

Link Parameters

These parameters are displayed for 802.11a/n/ac radios on Mesh access points.

• Radio Role—Radio role for the backhaul: UPLINK or DOWNLINK.

• Source Backhaul MAC—MAC address of the source backhaul radio.

VoIP Stats

Note VoIP Stats parameters are not displayed for outdoor mesh access points.

The VoIP Stats shows the cumulative number and length of voice calls for this access point radio. Entries are added automatically when voice calls are successfully placed and deleted when the access point disassociates from the Cisco WLC.

SIP CAC Call Stats

Note The SIP CAC Call Stats parameters are not displayed for outdoor mesh access points.

The SIP CAC Call stats section shows the following information:

• Total number of SIP calls in progress

• Number of roaming SIP calls in progress

• Total number of SIP calls since AP joined

• Total number of roaming SIP calls since AP joined

• Total number of SIP calls rejected due to insufficient bandwidth

• Total number of SIP roam calls rejected due to insufficient bandwidth

• Total number of SIP calls rejected due to maximum call limit

• Total number of SIP roam calls rejected due to maximum call limit

Preferred Call Stats

The Preferred Call Stats section shows the following information:

• Total number of preferred calls received

• Total number of preferred calls accepted



KTS CAC Call Stats

The KTS CAC Call Stats section shows the following information:

• Total number of KTS calls in progress

• Number of roaming KTS calls in progress

• Total number of KTS calls since AP joined

• Total number of roaming KTS calls since AP joined

• Total number of KTS calls rejected due to insufficient bandwidth

• Total number of KTS roam calls rejected due to insufficient bandwidth

Video Call Admission Control (CAC) Stats

The Video Call Admission Control (CAC) Stats section shows the following information:

• Video Bandwidth in use (% of config bandwidth)

• Video Roam Bandwidth in use (% of config bandwidth)

• Total Bandwidth in use for Video

TPSEC Video CAC Call Stats

The TPSEC Video CAC Call Stats section shows the following information:

• Total number of video calls in progress

• Number of roaming video calls in progress

• Total number of video calls since AP joined

• Total number of roaming video calls since AP joined

• Number of video calls rejected since AP joined

• Number of roaming video calls rejected since AP joined

• Number of video calls rejected due to insufficient bandwidth

• Number of video roam calls rejected due to invalid parameters

• Number of video roam calls rejected due to the physical layer (PHY) rate

• Number of video roam calls rejected due to the QoS policy

SIP Video CAC Call Stats

The SIP Video CAC Call Stats section shows the following information:

• Total number of video calls in progress

• Number of roaming video calls in progress

• Total number of video calls since AP joined

• Total number of roaming video calls since AP joined

• Number of video calls rejected due to insufficient bandwidth

• Number of roaming video calls rejected due to insufficient bandwidth



Profile Information—Graphics View and Text View

The RF statistics are used to derive the RRM profile for each Cisco Radio in your network (see the following figure). The controller uses the Radio Resource Management (RRM) profile to adjust the Cisco Radio transmit and receive levels in order to maintain the most efficient configuration for your network. This data view also displays the RF properties of the controller and its clients.

• The Radio Resource Management (RRM) PASSED/FAILED thresholds are globally set for all access points in the 802.11a/n/ac RF Grouping and 802.11b/g/n RF Grouping pages.

• The Radio Resource Management (RRM) PASSED/FAILED thresholds are individually set for this access point in the Performance Profile of 802.11a/n/ac Access Points page.

Click Graphics View to view the RRM profile information as a graph.

Click Text View to view the RRM profile information as tables.

The following sections describe each of the Graphical and Text results.

Noise vs. Channel

Each channel of the access point appears with the corresponding non-802.11 noise that interferes with the currently assigned channel.

Interference by Channel

Each channel of the access point appears with the corresponding traffic interference from other 802.11 sources.

Load Statistics

The total Receive and Transmit bandwidth and channel utilization appears for transmitting and receiving traffic on this Cisco Radio. The number of attached clients is also displayed.

% Client Count vs. RSSI

This graphic view sorts attached clients by their Received Signal Strengths.

% Client Count vs. SNR

This graphic view sorts attached clients by their Signal to Noise Ratios.

Rx Neighbors Information

This area displays the Cisco Radio’s neighboring access points and their IP address and RSSI values. These details are used for channel allotment and RF coverage area shaping.

Information similar to the following appears:

AP 00:0b:85:00:83:00 Interface 0 172.16.16.10

where

• AP is an access point.

• 00:0b:85:00:83:00 is the MAC address of the neighboring access point.

• Interface x is the interface number of the neighboring access point.

• 172.16.16.10 is the IP address of the access point’s controller.



Radar Information

The Dynamic Frequency Selection (DFS) capability of the Cisco IOS software detects radar signals (typically military and weather) within the operating range of the access point. If a radar is detected, then the Cisco IOS access point will decide which channel to go on and report that information to the Cisco WLC. The Cisco WLC will then be responsible for maintaining a 30-minute timeout for the channels on which the radar was detected. When the access point is in FlexConnect standalone mode, it changes the channel when it detects a radar and reports back to the Cisco WLC after the next successful join.

802.11 MAC Counters

This table describes the 802.11 MAC counters.

Table 2-3 802.11 MAC Counters

Counter Description

Tx Fragment Count Counter that is incremented for an acknowledged MPDU (MAC Protocol Data Unit) with an individual address in the address 1 field.

Tx Failed Count Counter that increments when an MSDU (MAC Service Data Unit) is successfully transmitted after one or more retransmissions.

Multiple Retry Count (Graphics view only)

Counter that increments when an MSDU is successfully transmitted after more than one retransmission.

RTS Success Count Counter that increments when a CTS (Clear To Send) is received in response to an RTS (Request To Send).

ACK Failure Count Counter that increments when an ACK is not received when expected.

Multicast Rx Frame Count Counter that increments when an MSDU is received with the multicast bit set in the destination MAC address.

Tx Frame Count Counter that increments for each successfully transmitted MSDU.

Multicast Tx Frame Count Counter that increments only when the multicast bit is set in the destination MAC address of a successfully transmitted MSDU. When operating as a STA in an ESS, where these frames are directed to the access point, this frame count implies having received an acknowledgment to all associated MPDUs.

Retry Count Counter that increments when an MSDU is successfully transmitted after one or more retransmissions.

Frame Duplicate Count Counter that increments when a frame is received that the Sequence Control field indicates is a duplicate.

RTS Failure Count Counter that increments when a CTS is not received in response to an RTS.

Rx Fragment Count Counter that increments for each successfully received MPDU of type Data or Management.

FCS Error Count Counter that increments when an FCS error is detected in a received MPDU.

WEP Undecryptable Count

Counter that increments when a frame received with the WEP subfield of the Frame Control field is set to one and the WEP On value for the key that is mapped to the MAC address of the TA indicates that the frame should not have been encrypted or that the frame has been discarded because to the receiving STA has not implemented the privacy option.



Band Select Statistics

The Band Select Statistics section shows the following information:

• Number of dual band client

• Number of dual band client added

• Number of dual band client expired

• Number of dual band client replaced

• Number of dual band client detected

• Number of suppressed client

• Number of suppressed client expired

• Number of suppressed client replaced

CleanAir Parameters

The CleanAir operational status is displayed by the Operational Status parameter.

802.11b/g/n RadiosChoose MONITOR > Access Points > Radios > 802.11b/g/n to navigate to this page.

This page displays the Cisco Radio profile for your 802.11b/802.11g RF network. It shows the status of each 802.11b/g Cisco Radio configured and its profile.

AP List Filter

Click Change Filter to display the Search APs dialog box (see the following figure) and to create or change filter parameters. Click Clear Filter to remove the filter and display the entire access point list.

You can create a filter to display the list of access point by MAC address or AP name.




• CleanAir Oper Status—Operational status of the CleanAir capable access point. Choose from the following available statuses:

– UP

– DOWN

– ERROR

– N/A




Click Find to commit your changes. Only the access points that match your search criteria appear on the 802.11b/g/n Radios page, and the Current Filter parameter at the top of the page specifies the filter used to generate the list (for example, MAC address:00:1e:f7:75:0a:a0 or AP Name:pmsk-ap).


802.11b/g/n Radios

To access details for each Cisco Radio, click the Detail link (see Radio Statistics for more information).

To access details of the air quality, click the blue arrow adjacent the desired access point radio and choose CleanAir (see Cisco CleanAir for more information).

Note Only Cisco Aironet 3500 series access point radios can be configured for Cisco CleanAir.

This table describes the 802.11b/g/n radio parameters.

CleanAir Radio Monitoring Rapid UpdateChoose MONITOR > Access Points > Radios > 802.11a/n/ac or 802.11b/g/n. Click the blue arrow adjacent the desired access point radio and choose CleanAir. The 802.11a/n/ac (or 802.11b/g/n) > Access Point Name > Radio Monitoring Rapid Update page appears.

The Radio Monitoring Rapid Update page displays the CleanAir statistics for the selected Cisco Radio. You can alternate between the Graphics View and the Text View by clicking the Graphics View/Text View button. You can view and refresh the following statistics by selecting them (using the check boxes) and then clicking the Refresh button on the data page.


Table 2-4 802.11b/g/n Radio Parameters






Load Profile Radio Resource Management (RRM) profile for the Cisco Radio. The profile status is displayed as a pass or fail with details provided on the Radio Statistics data page.

Noise Profile


Coverage Profile

CleanAir Admin Status Status of the CleanAir admin.

CleanAir Oper Status Status of the spectrum sensor for this access point.



Active Interferer Parameters

This table describes the active interferer parameters.

Air Quality

The air quality provides a graphical representation of the average air quality for the access point on this radio.

Non-Wi-Fi Channel Utilization

The non-Wi-Fi channel utilization provides a graphical representation of the non-Wi-Fi channel utilization. The graph displays the percentage of spectrum used by the interference source.

Interference Power

The interference power provides a graphical representation of the non-Wi-Fi based interference source and displays the power level of the channel being affected.

Dual-Band RadiosChoose MONITOR > Access Points > Radios > Dual-Band to navigate to the Dual-Band Radios page.

This page displays the Cisco Radio profile and summary for your 802.11a/b/g/n RF network.

AP List Filter





Table 2-5 Active Interferer Parameters

Parameter Description

Interferer Type Type of the interferer.

Affected Channel Channel that the device affects.

Detected Time Time at which the interference was detected.

Severity Severity index of the interfering device.

Duty Cycle (%) Proportion of time during which the interfering device was active.

RSSI (dBm) Receive signal strength indicator (RSSI) of the access point.

DevID Device identification number that uniquely identifies the interfering device.

ClusterID Cluster identification number that uniquely identifies the type of the devices.


Chapter 2 Monitor Tab Cisco CleanAir


• CleanAir Oper Status—Operational status of the CleanAir capable access point. Choose from the following available statuses:

– UP

– DOWN

– ERROR

– N/A


Click Find to commit your changes. Only the access points that match your search criteria appear on the Dual-Band Radio page, and the Current Filter parameter at the top of the page specifies the filter used to generate the list (for example, MAC address:00:1e:f7:75:0a:a0 or AP Name:pmsk-ap).


Dual-Band Radios Summary


This table describes the dual-band radio parameters.

Cisco CleanAir Choose Monitor > Cisco CleanAir to view the Interference Devices or the Air Quality Report pages. From here, you can choose the following:

Table 2-6 Dual-Band Radio Parameters






Load Profile Radio Resource Management (RRM) profile for the Cisco Radio. The profile status is displayed as a pass or fail with details provided on the Radio Statistics data page.

Noise Profile


Coverage Profile

CleanAir Admin Status Status of the CleanAir admin.

CleanAir Oper Status Status of the spectrum sensor for this access point.



• MONITOR > Cisco CleanAir > 802.11 a/n/ac (or 802.11 b/g/n) > Interference Devices to view the the list of the interference devices in your 802.11a/n/ac or 802.11b/g/n RF network. See Cisco CleanAir Interference Devices for more information.

• MONITOR > Cisco CleanAir > 802.11 a/n/ac or 802.11 b/g/n > Air Quality Report. to view the air quality of both the 802.11a/n/ac and 802.11b/g/n radio bands. See Cisco CleanAir Air Quality Report for more information.

Cisco CleanAir Interference DevicesChoose Monitor > Cisco CleanAir > 802.11 a/n/ac (or 802.11 b/g/n) > Interference Devices to navigate to the Cisco CleanAir Interference Devices page. This page displays the list of the interference devices.


This table describes the interference device parameters.

Table 2-7 Interference Device Parameters


AP Name Name of the access point where the interference device is detected.

Radio Slot # Slot that detects the interferes.

Interferer Type Type of the interferer.

Affected Channel Channel that the device affects.

Detected Time Time at which the interference was detected.

Severity Severity index of the interfering device.

Duty Cycle (%) Proportion of time during which the interfering device was active.

RSSI Receive signal strength indicator (RSSI) of the access point.



Click Change Filter to display the information about interference devices based on a particular criteria. Click Clear Filter to remove the filter and display entire access point list.

You can create a filter to display the list of interference devices that are based on the following filtering parameters:

• Cluster ID—To filter based on the Cluster ID, select the check box and enter the Cluster ID in the text box next to this field.

Note When a CleanAir-enabled access point detects interference devices, detections of the same device from multiple sensors are merged together. Each cluster is given a unique ID. Some devices conserve power by limiting the transmit time until actually needed, which allows the spectrum sensor to temporarily stop detecting the device. The device is then marked as down. A down device would be correctly removed from the spectrum database. In cases when all the interferer detections for a specific device are reported down, the cluster is kept alive for an extended period of time to prevent possible device detection bouncing. If the same device is detected again, it is merged to the original cluster and all the device history over time is kept together. For example, some Bluetooth headsets operate on battery power. These devices employ a power saving mode such as turning off the transmitter when it is not actually needed. Such devices can appear up and down. Bouncing prevention smoothens the interferer device records and accurately represents the device history.

• AP Name—To filter based on the access point name, select the check box and enter the access point name in the text box next to this field.

• Interferer Type—To filter based on the type of the interference device, select the check box and select the interferer device from the options.

Select one of the following interferer devices:

DevID Device identification number that uniquely identifies the interfering device.

ClusterID Cluster identification number that uniquely identifies the type of the devices.

When a CleanAir-enabled access point detects interference devices, these detections of the same device from multiple sensors are merged together to create clusters. Each cluster is given a unique ID. Some devices conserve power by limiting the transmit time until actually needed, which causes the spectrum sensor to temporarily stop detecting the device. This device is then correctly marked as down. A down device is removed from the spectrum database. In cases when all the interferer detections for a specific device are reported, the cluster ID is kept alive for an extended period of time to prevent possible device detection bouncing. If the same device is detected again, it is merged to the original cluster ID and the device detection history is preserved.

For example, some Bluetooth headsets operate on battery power. These devices employ methods to reduce power consumption such as turning off the transmitter when it is not actually needed. Such devices can appear to come and go from the classification. To manage these devices, CleanAir keeps the cluster IDs longer and merges them again into a single record upon detection. Preventing bouncing smoothens the interference device records and allows the records to accurately represent the device history.

Table 2-7 Interference Device Parameters




– TDD Transmit

– Jammer

– Continuous TX

– DECT Phone

– Video Camera

– WiFi Inverted

– WiFi Inv. Ch

– SuperAG

– Canopy

– WiMax Mobile

– WiMax Fixed

– WiFi ACI

– Unclassified

• Affected Channels

• Severity

• Duty Cycle (%)

• RSSI

Click Find to commit your changes.

The current filter parameters are displayed in the Current Filter field.

Cisco CleanAir Air Quality ReportChoose Monitor > Cisco CleanAir > 802.11 a/n/ac or 802.11 b/g/n > Air Quality Report to navigate to the Air Quality Report page. This page displays the air quality on the access points. Air Quality is checked on all channels if you have a monitor module for an Cisco Aironet 3600 series access point.


This table describes the Cisco CleanAir air quality report parameters.

Table 2-8 Cisco CleanAir Air Quality Report Parameters


AP Name Name of the access point.

Radio Slot # Slot where the interference is detected.

Channel Channel where the air quality is monitored.

Average AQ Average air quality observed.

Minimum AQ Minimum air quality observed.



Cisco CleanAir Worst Air Quality ReportChoose Monitor > Cisco CleanAir > Worst Air Quality Report. to navigate to the the Worst Air Quality Report page. This page shows the air quality of both the 802.11a/n/ac and 802.11b/g/n radio bands.


This table describes the Cisco CleanAir worst air quality parameters.

To view a list of persistent sources of interference for a specific access point radio, follow these steps:

Step 1 Choose Wireless > Access Points > Radios > 802.11a/n/ac or 802.11b/g/n to open the 802.11a/n/ac (or 802.11b/g/n) Radios page.

Step 2 Click the blue arrow adjacent the desired access point radio and choose CleanAir-RRM. The 802.11a/n/ac (or 802.11b/g/n) Cisco APs > Access Point Name > Persistent Devices page appears.

This page lists the device types of persistent sources of interference detected by this access point radio. It also shows the channel on which the interference was detected, the percentage of time that the interferer was active (duty cycle), the received signal strength (RSSI) of the interferer, and the day and time when the interferer was last detected.

Interferer Number of devices that affect a particular channel.

DFS (Dynamic Frequency Selection) Whether DFS is enabled.

Table 2-8 Cisco CleanAir Air Quality Report Parameters


Table 2-9 Cisco CleanAir Worst Air Quality


AP Name Name of the access point that reported the worst air quality for the 802.11a/n/ac or 802.11b/g/n radio band.

Channel Number Radio channel with the worst reported air quality.

Minimum Air Quality Index (1 to 100) Minimum air quality for this radio channel. An air quality index (AQI) value of 100 is the best, and 1 is the worst.

Average Air Quality Index (1 to 100) Average air quality for this radio channel. An air quality index (AQI) value of 100 is the best, and 1 is the worst.

Interference Device Count Number of interferers detected by the radios on the 802.11a/n/ac or 802.11b/g/n radio band.


Chapter 2 Monitor Tab Statistics

StatisticsChoose MONITOR > Statistics to navigate to the Statistics page. From here, you can choose the following:

• MONITOR > Statistics > Controller to view the controller statistics.

See Controller Statistics for more information.

• MONITOR > Statistics > AP Join to view all the access points that have joined or have tried to join to the controller.

See AP Join Stats for more information.

• MONITOR > Statistics > Port to view the status of each port on the controller.

See Port Statistics for more information.

• MONITOR > Statistics > RADIUS Servers to view addressing and status information of your RADIUS servers.

See RADIUS Servers Statistics for more information.

• MONITOR > Statistics > Mobility Statistics to view the statistics for mobility group events.

See Mobility Statistics for more information.

• MONITOR > Statistics > IPv6 Neighbor Bind Counters to view counter statistics for the following Neighbor Discovery Protocol (NDP) and Dynamic Host Configuration Protocol (DHCP) packets.

See IPv6 Neighbor Bind Counters for more information.

• MONITOR > Statistics > PMIPv6 LMA Statistics to view the statistics of all the LMA (Local Mobility Anchor) that the controller is connected to.

See PMIPv6 LMA Statistics for more information.

• MONITOR > Statistics > Preferred Mode Statistics to view the details of the APs on which the IP config (Global/ AP Group) has been configured.

See Preferred Mode for more information.

Controller StatisticsChoose MONITOR > Statistics > Controller to view the controller statistics.

Note All the statistics related to received packets are Ethernet packets received on the controller port . These packets are a combination of CAPWAP packets, and packets from any wired infrastructure that reach the controller.All the statistics related to packets transmitted from the controller include CAPWAP packets to access points and non-encapsulated packets to wired infrastructure.

This table describes the controller summary statistics.



.Table 2-10 Controller Summary Statistics


Octets Received Total number of octets of data received by the processor (excluding framing bits but including FCS octets).

Packets Received Without Error Total number of packets received by the processor.

Unicast Packets Received Number of subnetwork-unicast packets delivered to a higher-layer protocol.

Multicast Packets Received Total number of packets received that were directed to a multicast address. Note that this number does not include packets directed to the broadcast address.

Broadcast Packets Received Total number of packets received that were directed to the broadcast address.

Receive Packets Discarded Number of inbound packets that were chosen to be discarded even though no errors had been detected to prevent their delivery to a higher-layer protocol. A possible reason for discarding a packet could be to free up buffer space.

Octets Transmitted Total number of octets transmitted out of the interface, including framing characters.

Packets Transmitted without Errors Total number of packets transmitted out of the interface.

Unicast Packets Transmitted Total number of packets that higher-level protocols requested be transmitted to a subnetwork-unicast address, including those packets that were discarded or not sent.

Multicast Packets Transmitted Total number of packets that higher-level protocols requested be transmitted to a multicast address, including those that were discarded or not sent.

Broadcast Packets Transmitted Number of packets that higher-level protocols requested be transmitted to the broadcast address, including those that were discarded or not sent.

Transmit Packets Discarded Number of outbound packets that were chosen to be discarded even though no errors had been detected to prevent their delivery to a higher-layer protocol. A possible reason for discarding a packet could be to free up buffer space.

Most Address Entries Ever Used Highest number of Forwarding Database Address Table entries that have been learned by this controller since the most recent reboot.

Address Entries in Use Number of learned and static entries in the Forwarding Database Address Table for this controller.

Maximum VLAN Entries Maximum number of Virtual LANs (VLANs) allowed on this controller.

Most VLAN Entries Ever Used Largest number of VLANs that have been active on this controller since the last reboot.



Click Clear Counters to set all summary and detailed controller statistics counters to zero; also resets the Time Since Counters Last Cleared field.

AP Join StatsChoose MONITOR > Statistics > AP Join to navigate to the AP Join Stats page.

The join statistics for an access point that send a CAPWAP discovery request to the controller at least once are maintained on the controller even if the access point is rebooted or disconnected. These statistics are removed only if the controller is rebooted or if you choose to clear the statistics.

This page lists all of the access points that are joined to the controller or that have tried to join. It shows the radio MAC address, access point name, current join status, Ethernet MAC address, IP address, and last join time for each access point.

The total number of access points appears in the upper right-hand corner of the page. If the list of access points spans multiple pages, you can access these pages by clicking the page number links. Each page shows the join statistics for up to 25 access points.

AP List Filter




• Ethernet MAC Address—MAC address.


Note When you enable one of these filters, the other filter is disabled automatically.

Click Find to commit your changes. Only the access points that match your search criteria appear on the AP Join Stats page, and the Current Filter parameter at the top of the page specifies the filter used to generate the list (for example, MAC Address:00:1e:f7:75:0a:a0 or AP Name:pmsk-ap).

Note If you want to remove the filter and display the entire access point list, click Show All.

Click the MAC address of the radio to see detailed statistics for each port on the AP Join Stats Detail page (see AP Join Stats Details for more information).

To remove an access point from the list, click the blue arrow adjacent the desired access point and choose Remove.

Static VLAN Entries Number of presently active VLAN entries on this controller that have been created statically.

Time Since Counters Last Cleared Elapsed time, in days, hours, minutes, and seconds, since the statistics for this controller were last cleared.

Table 2-10 Controller Summary Statistics




Click Clear Stats on All APs to clear the statistics for all access points.

AP Join Stats Details

Choose MONITOR > Statistics > AP Join and then click the base radio MAC address to navigate to the AP Join Stats Detail page. This page provides information on each phase of the join process and shows any errors that have occurred.

Port StatisticsChoose MONITOR > Statistics > Ports to navigate to the Ports Statistics page. This page displays the status of each port on the controller. This table describes the ports statistics parameters.

The Physical Mode and Status may reflect different values depending on the link status. For example, the Physical Mode may be set to Auto while the link actually runs at 10 Mbps half duplex.


Parameter Description Range

Port No Port number on the controller. 1–12 for 10/100BASE-T, 13 for 1000BASE-T or 1000BASE-SX.

1–24 for 10/100BASE-T, 25 for 1000BASE-T or 1000BASE-SX.

1 for 1000BASE-SX on a Cisco 4100 Series Wireless LAN Controller.

1 for 1000BASE-SX on a Cisco 4100 Series Wireless LAN Controller.

Admin Status State of the port. Enable or Disable.

Physical Mode Configuration of the port physical interface.

Auto.

100 Mbps full duplex.

100 Mbps half duplex.




Note In a Cisco NMWLC6 controller, the physical mode is always set to Auto.

Physical Status Actual port physical interface. Auto.






Link Status Displays the status of the link. Link Up or Link Down.



Click View Stats to see detailed statistics for each port on Ports Statistics Details.

Ports Statistics Details

Choose MONITOR > Statistics > Ports and then click View Stats to view the port details.

This table describes the port statistics.

Table 2-12 Port Statistics

Parameter Received Description Transmitted Description

Total Bytes Total number of octets of data (including those octets in bad packets) received on the network (excluding framing bits but including FCS octets). This object can be used as a reasonable estimate of Ethernet utilization. If greater precision is desired, the etherStatsPkts and etherStatsOctets objects should be sampled before and after a common interval. The result of this equation is the value Utilization which is the percentage of utilization of the Ethernet segment on a scale of 0 to 100 percent.

Number of octets of data (including those octets in bad packets) received on the network (excluding framing bits but including FCS octets). This object can be used as a reasonable estimate of Ethernet utilization. If greater precision is desired, the etherStatsPkts and etherStatsOctets objects should be sampled before and after a common interval.

Packets (64 Octets) Total number of packets (including bad packets) received that were 64 octets in length (excluding framing bits but including FCS octets).

Total number of packets (including bad packets) received that were 64 octets in length (excluding framing bits but including FCS octets).

Packets (65-127 Octets)

Total number of packets (including bad packets) received that were between 65 and 127 octets in length inclusive (excluding framing bits but including FCS octets).


Packets (128-255 Octets)



Packets

(256-511 Octets)



Packets

(512-1023 Octets)





Maximum Info size allowed—The maximum size of the Info (non-MAC) field that this port receives or transmits.

This table describes the successful packets parameters.

This table describes the protocol statistics.

Packets

(1024-1518 Octets)



Packets

(> 1518 Octets)

Total number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets) and were otherwise well formed.

Total number of packets transmitted that were longer than 1518 octets (excluding framing bits, but including FCS octets) and were otherwise well formed.

Table 2-12 Port Statistics


Table 2-13 Successful Packets


Total Total number of packets received that were without errors.

Total number of packets transmitted that were without errors.

Unicast Packets Number of subnetwork-unicast packets delivered to a higher-layer protocol.

Total number of packets that higher-level protocols requested be transmitted to a subnetwork-unicast address, including those packets that were discarded or not sent.

Multicast Packets Total number of good packets received that were directed to a multicast address. Note that this number does not include packets directed to the broadcast address.

Total number of packets that higher-level protocols requested be transmitted to a multicast address, including those packets that were discarded or not sent.

Broadcast Packets Total number of good packets received that were directed to the broadcast address.

Total number of packets that higher-level protocols requested be transmitted to the broadcast address, including those packets that were discarded or not sent.

Table 2-14 Protocol Statistics


802.3x Pause Frames Received

Media Access Control (MAC) frames received on this interface with an opcode indicating a PAUSE. This counter does not increment when the interface operates in half-duplex mode.

–



Time Since Counters Last Cleared—The elapsed time, in days, hours, minutes, and seconds since the statistics for this port were last cleared.

Click Clear Counters to set all summary and controller detailed statistics counters to zero and to reset the “Time Since Counters Last Cleared” field.

This table describes the received packets with MAC errors parameters.

This table describes the details of received packets not forwarded.

Table 2-15 Received Packets with MAC Errors Parameters


Total Total number of inbound packets that contained errors preventing them from delivery to a higher-layer protocol.

Jabbers Number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a nonintegral number of octets (Alignment Error). This definition of jabber differs from the definition in IEEE 802.3, section 8.2.1.5 (10BASE-5) and section 10.3.1.4 (10BASE-2). These documents define jabber as the condition where any packet exceeds 20 ms. The allowed range to detect jabber is between 20 ms and 150 ms.

Fragments/ Undersize

Number of packets received that were less than 64 octets in length (excluding framing bits but including FCS octets).

Alignment Errors Number of packets received that had a length (excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive, but had a bad Frame Check Sequence (FCS) with a nonintegral number of octets.

FCS Errors Number of packets received that had a length (excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive, but had a bad Frame Check Sequence (FCS) with an integral number of octets.

Overruns Number of frames discarded because this port was overloaded with incoming packets and could not keep up with the inflow.

Table 2-16 Details of Received Packets Not Forwarded


Total Count of valid frames received that were discarded or filtered by the forwarding process.

Local Traffic Frames Total number of dropped frames in the forwarding process because the destination address was located off of this port.

802.3x Pause Frames Received Count of MAC control frames received on this interface with an opcode indicating the PAUSE operation. This counter does not increment when the interface operates in half-duplex mode.

Unacceptable Frame Type Number of frames discarded from this port due to unacceptable frame types.

VLAN Membership Mismatch Number of frames discarded on this port due to ingress filtering.



This table describes the transmit error parameters.

This table describes the transmit discard parameters.

VLAN Viable Discards Number of frames discarded on this port because a lookup on a particular VLAN occurred while that entry in the VLAN table was modified, or if the VLAN had not been configured.

Multicast Tree Viable Discards Number of frames discarded because a lookup in the multicast tree for a VLAN occurred while that tree was modified.

Reserved Address Discards Number of frames discarded that were destined to an IEEE 802.1 reserved address and were not supported by the system.

CFI Discards Number of frames discarded that had the CFI bit set and the addresses in RIF were in noncanonical format.

Upstream Threshold Number of frames discarded due to a lack of cell descriptors available for that packet's priority level.

Table 2-16 Details of Received Packets Not Forwarded


Table 2-17 Transmit Error Parameters


Total Errors Sum of Single, Multiple, and Excessive Collisions.

FCS Errors Total number of packets transmitted that had a length (excluding framing bits, but including FCS octets) between 64 and 1518 octets, inclusive, but had a bad Frame Check Sequence (FCS) with an integral number of octets.

Oversized Number of frames that exceeded the maximum permitted frame size. This counter has a maximum increment rate of 815 counts per second at 10 Mbps.

Underrun Errors Number of frames discarded because the transmit FIFO buffer became empty during the frame transmission.

Table 2-18 Transmit Discard Parameters


Total Discards Sum of discarded single collision frames, discarded multiple collision frames, and discarded excessive frames.

Single Collision Frames Count of the number of successfully transmitted frames on a particular interface for which transmission was inhibited by one collision.

Excessive Collisions Count of frames for which transmission on a particular interface failed due to excessive collisions.

Port Membership Number of frames discarded on egress for this port due to egress filtering being enabled.



RADIUS Servers StatisticsChoose MONITOR > Statistics > RADIUS Servers to navigate to the RADIUS Servers page.

This page displays addressing and status information for your Remote Authentication Dial-In User Servers (RADIUS). Configure the authentication and accounting servers by choosing the Security tab from the menu bar.

This table describes the authentication server and accounting server status parameters.

Click Stats to display the statistics page for the selected server (RADIUS Servers Authentication Stats or RADIUS Servers Accounting Stats).

RADIUS Servers Authentication Stats

Choose MONITOR > Statistics > RADIUS Servers and then click Stats in a RADIUS Authentication entry to navigate to the RADIUS Server Authentication Stats page.

This page displays addressing and status information for your RADIUS servers.

Authentication Server Addressing

This table describes the authentication server addressing parameters.

VLAN Viable Discards Number of frames discarded on this port because a lookup on a particular VLAN occurred while that entry in the VLAN table was modified, or if the VLAN had not been configured.

Multiple Collision Frames Count of the number of successfully transmitted frames on a particular interface for which transmission was inhibited by more than one collision.

Table 2-18 Transmit Discard Parameters


Table 2-19 Authentication Server and Accounting Server Status Parameters


Index Access priority number for RADIUS servers. Up to 17 authentication and 17 accounting servers can be configured. The controller polling of the servers starts with Index 1, Index 2 second, and so forth. The index number is based on the server index priority that is selected for a RADIUS server when it is added to the controller.

Address IP address of the RADIUS server.

Port Communication port.

Admin Status Enabled or disabled.



Authentication Server Statistics

This table describes the authentication server statistics parameters.

Table 2-20 Authentication Server Addressing Parameters


Server Index Access priority number for RADIUS servers. Up to 17 servers can be configured. The controller polling of the servers starts with Index 1 first, Index 2 second, and so on. The index number is based on the server index priority that is selected for a RADIUS server when it is added to the controller.

Server Address IP address of the RADIUS server.

Admin Status State of the server.

Table 2-21 Authentication Server Statistics Parameters


Msg Round Trip Time Time interval between the most recent Access-Reply/Access-Challenge and the Access-Request that matched it from this RADIUS authentication server.

First Requests Number of RADIUS Access-Request packets sent to this server. This number does not include retransmissions.

Retry Requests Number of RADIUS Authentication-Request packets retransmitted to this RADIUS authentication server.

Accept Responses Number of RADIUS Access-Accept packets (valid or invalid) received from this server.

Reject Responses Number of RADIUS Access-Reject packets (valid or invalid) received from this server.

Challenge Responses Number of RADIUS Access-Challenge packets (valid or invalid) received from this server.

Malformed Messages Number of malformed RADIUS Access-Response packets received from this server. Malformed packets include packets with an invalid length. Bad authenticators, signature attributes, or unknown types are not included as malformed access responses.

Bad Authenticator Msgs Number of RADIUS Access-Response packets that contain invalid authenticators or signature attributes received from this server.

Pending Requests Number of RADIUS Access-Request packets destined for this server that have not yet timed out or received a response. This variable is incremented when an Access-Request is sent and decremented due to receipt of an Access-Accept, Access-Reject, Access-Challenge, a timeout, or retransmission.

Timeout Requests Number of authentication timeouts to this server. After a timeout, the client may retry to the same server, send to a different server, or give up. A retry to the same server is counted as a retransmit as well as a timeout. A send to a different server is counted as a Request as well as a timeout.



RADIUS Servers Accounting Stats

Choose MONITOR > Statistics > RADIUS Servers and then click Stats in a RADIUS Accounting entry to navigate to the RADIUS Servers Accounting Stats page.

This page displays addressing and status information for your Remote Authentication Dial-In User Servers.

Accounting Server Addressing

This table describes the accounting server addressing parameters.

Accounting Server Statistics

This table describes the accounting server statistics parameters.

Unknown Type Msgs Number of RADIUS packets of unknown type received from this server on the authentication port.

Other Drops Number of RADIUS packets received from this server on the authentication port and dropped for some other reason.

Table 2-21 Authentication Server Statistics Parameters


Table 2-22 Accounting Server Addressing Parameters


Server Index Access priority number for RADIUS servers. Up to 17 servers can be configured. The controller polling of the servers starts with Index 1 first, Index 2 second, and so on. The index number is based on the server index priority that is selected for a RADIUS server when it is added to the controller.


Admin Status State of the server.

Table 2-23 Accounting Server Statistics Parameters


Msg Round Trip Time Time interval between the most recent Accounting-Response and the Accounting-Request that matched it from this RADIUS accounting server.

First Requests Number of RADIUS Accounting-Request packets sent. This number does not include retransmissions.

Retry Requests Number of RADIUS Accounting-Request packets retransmitted to this RADIUS accounting server. Retransmissions include retries where the Identifier and Acct-Delay have been updated, as well as those in which they remain the same.

Accounting Responses Number of RADIUS packets received on the accounting port from this server.



Mobility StatisticsChoose MONITOR > Statistics > Mobility Statistics to navigate to the Mobility Statistics page.

This page displays the statistics for mobility group events and is divided into the following three groups:

• Global Statistics that affect all mobility transactions.

• Mobility Initiator Statistics generated by the controller that initiates the mobility event.

• Mobility Responder Statistics generated by the controller that responds to a mobility event.

Global Mobility Statistics

This table describes the global mobility statistics parameters.

Malformed Messages Number of malformed RADIUS Accounting-Response packets received from this server. Malformed packets include packets with an invalid length. Bad authenticators and unknown types are not included as malformed accounting responses.

Bad Authenticator Msgs Number of RADIUS Accounting-Response packets that contained invalid authenticators received from this server.

Pending Requests Number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response. This variable is incremented when an Accounting-Request is sent and decremented due to receipt of an Accounting-Response, a timeout, or a retransmission.

Timeout Requests Number of accounting timeouts to this server. After a timeout, the client may retry to the same server, send to a different server, or give up. A retry to the same server is counted as a retransmit as well as a timeout. A send to a different server is counted as an Accounting-Request as well as a timeout.

Unknown Type Msgs Number of RADIUS packets of unknown type received from this server on the accounting port.

Other Drops Number of RADIUS packets that were received from this server on the accounting port and dropped for some other reason.

Table 2-23 Accounting Server Statistics Parameters


Table 2-24 Global Mobility Statistics Parameters


Rx Errors Generic protocol packet receive errors (such as the packet was too short or format was incorrect).

Tx Errors Generic protocol packet transmit errors, such as the packet transmission failed.



Mobility Initiator Statistics

This table describes the mobility initiator statistics.

Responses Retransmitted Number of retransmitted responses. The mobility protocol uses UDP and it resends requests several times if it does not receive a response. Because of network or processing delays, the responder may receive one or more retry requests after it initially responds to a request. This count includes the response resends.

Handoff Requests Received Number of handoff requests received, ignored, or responded.

Handoff End Requests Received Total number of handoff end requests received. These requests are sent by the anchor or the foreign controller to notify the other about the close of a client session.

State Transitions Disallowed Number of disallowed state transitions. PEM (policy enforcement module) has denied a client state transition, which results in an aborted handoff.

Resource Unavailable Unavailable resource, such as a buffer, which resulted in an aborted handoff.

Table 2-24 Global Mobility Statistics Parameters


Table 2-25 Mobility Initiator Statistics


Handoff Requests Sent Number of clients that have associated with the controller and have been announced to the mobility group.

Handoff Replies Received Number of handoff replies that have been received in response to the requests sent.

Handoff as Local Received Number of handoffs in which the entire client session has been transferred.

Handoff as Foreign Received Number of handoffs in which the client session was anchored elsewhere.

Handoff Denys Received Number of handoffs that were denied.

Anchor Request Sent Number of anchor requests that were sent for a three party (foreign to foreign) handoff. The handoff was received from another foreign controller and the new controller is requesting the anchor controller to move the client.

Anchor Deny Received Number of anchor requests that were denied by the current anchor.



Mobility Responder Statistics

This table describes the mobility responder statistics.

IPv6 Neighbor Bind CountersChoose MONITOR > Statistics > IPv6 Neighbor Bind Counters to navigate to the IPv6 Neighbor Bind Counters page.

This page displays counter statistics for the following Neighbor Discovery Protocol (NDP) and Dynamic Host Configuration Protocol (DHCP) packets:

• Received Messages

• Bridged Messages

• Dropped Messages

• NDSUPRRESS Drop counters

Anchor Grant Received Number of anchor requests that were approved by the current anchor.

Anchor Transfer Received Number of anchor requests that closed the session on the current anchor and transferred the anchor back to the requestor.

Table 2-25 Mobility Initiator Statistics


Table 2-26 Mobility Responder Statistics


Handoff Requests Ignored Number of handoff requests/client announcements that were ignored. The controller had no knowledge of that client.

Ping Pong Handoff Requests Dropped Number of handoff requests that were denied because the handoff period was too short (3 seconds).

Handoff Requests Dropped Number of handoff requests that were dropped due to a either an incomplete knowledge of the client or a problem with the packet.

Handoff Requests Denied Number of handoff requests that were actively denied.

Client Handoff as Local Number of handoffs responses sent while in the local role.

Client Handoff as Foreign Number of handoffs responses sent while in the foreign role.

Anchor Requests Received Number of anchor requests received.

Anchor Requests Denied Number of anchor requests denied.

Anchor Requests Granted Number of anchor requests granted.

Anchor Transferred Number of anchors transferred because the client moved from a foreign controller to a controller on the same subnet as the current anchor.



• SNOOPING Drop counters

Received Messages

This table describes the received message statistics.

Table 2-27 Received Message Statistics


NDP Router Solicitation Number of received messages originated by the hosts to request a router to send a router advertisement.

NDP Router Advertisement Number of received messages originated by the routers to advertise their presence and link-specific parameters such as link prefixes, link MTU, and hop limits. These messages are sent periodically and also in response to router solicitation messages.

NDP Neighbor Solicitation Number of received messages originated by the nodes to request the link layer address of another node and also for functions such as duplicate address detection and neighbor unreachability detection.

NDP Neighbor Advertisement Number of received messages in response to neighbor solicitation messages. If a node changes its link-layer address, it can send an unsolicited neighbor advertisement to advertise the new address.

NDP Redirect Number of received messages to inform a host of a better first-hop node on the path to a destination. Hosts can be redirected to a better first-hop router but can also be informed by a redirect that the destination is in fact a neighbor.

NDP Certificate Solicit Number of received messages to know the certification path to the trust anchor. Hosts will send the Certification Path Solicitations.

NDP Certificate Advert Number of received messages to know the certification path to the trust anchor. Routers will send the Certification Path Advertisement messages.

DHCPv6 Solicitation Number of received messages sent by a client to locate DHCPv6 servers.

DHCPv6 Advertisement Number of received messages sent by a DHCPv6 server in response to a DHCPv6 solicitation message to indicate availability.

DHCPv6 Request Number of received messages sent by a client to request addresses or configuration settings from a server.

DHCPv6 Reply Number of received messages sent by a DHCPv6 server to a client in response to a Solicit, Request, Renew, Rebind, Information-Request, Confirm, Release, or Decline message.

DHCPv6 Inform Number of received messages sent by a client to request configuration settings (but not addresses).



Bridged Messages

This table describes the bridged message statistics.

DHCPv6 Confirm Number of received messages sent by a client to all servers to determine if a client's configuration is valid for the connected link.

DHCPv6 Renew Number of received messages sent by a client to a server to extend the lifetime of assigned addresses and obtain updated configuration settings.

DHCPv6 Rebind Number of received messages sent by a client to any server when a response to the DHCPv6 Renew message is not received.

DHCPv6 Release Number of received messages sent by a server to a client in response to a Solicit, Request, Renew, Rebind, Information-Request, Confirm, Release, or Decline message.

DHCPv6 Decline Number of received messages sent by a client to a server to indicate that the assigned address is already in use.

DHCPv6 Reconfigure Number of received messages sent by a server to a client to indicate that the server has new or updated configuration settings.

DHCPv6 Relay Forward Number of received messages sent by a relay agent to forward a message to a server. Contains a client message encapsulated as the DHCPv6 Relay-Message option.

DHCPv6 Relay Reply Number of received messages sent by a server to send a message to a client through a relay agent. Contains a server message encapsulated as the DHCPv6 Relay-Message option.

Table 2-27 Received Message Statistics


Table 2-28 Bridged Message Statistics


NDP Router Solicitation Number of received bridged messages originated by the hosts to request a router to send a router advertisement.

NDP Router Advertisement Number of received bridged messages originated by the routers to advertise their presence and link specific parameters such as link prefixes, link MTU, and hop limits. These messages are sent periodically and also in response to Router Solicitation messages.

NDP Neighbor Solicitation Number of received bridged messages originated by the nodes to request another node's link layer address and also for functions such as duplicate address detection and neighbor unreachability detection.



NDP Neighbor Advertisement Number of received bridged messages in response to Neighbor Solicitation messages. If a node changes its link-layer address, it can send an unsolicited Neighbor Advertisement to advertise the new address.

NDP Redirect Number of received bridged messages to inform a host of a better first-hop node on the path to a destination. Hosts can be redirected to a better first-hop router but can also be informed by a redirect that the destination is in fact a neighbor.

NDP Certificate Solicit Number of received bridged messages to know the certification path to the trust anchor. Hosts will send the Certification Path Solicitations.

NDP Certificate Advert Number of received bridged messages to know the certification path to the trust anchor. Routers will send the Certification Path Advertisement messages.

DHCPv6 Solicitation Number of received bridged messages sent by a client to locate DHCPv6 servers.

DHCPv6 Advertisement Number of received bridged messages sent by a DHCPv6 server in response to a DHCPv6 Solicitation message to indicate availability.

DHCPv6 Request Number of received bridged messages sent by a client to request addresses or configuration settings from a server.

DHCPv6 Reply Number of received bridged messages sent by a DHCPv6 server to a client in response to a Solicit, Request, Renew, Rebind, Information-Request, Confirm, Release, or Decline message.

DHCPv6 Inform Number of received bridged messages sent by a client to request configuration settings (but not addresses).

DHCPv6 Confirm Number of received bridged messages sent by a client to all servers to determine if a client's configuration is valid for the connected link.

DHCPv6 Renew Number of received bridged messages sent by a client to a server to extend the lifetime of assigned addresses and obtain updated configuration settings.

DHCPv6 Rebind Number of received bridged messages sent by a client to any server when a response to the DHCPv6 Renew message is not received.

DHCPv6 Release Number of received bridged messages sent by a server to a client in response to a DHCPv6 Solicitation, Request, Renew, Rebind, Information-Request, Confirm, Release, or Decline message.

DHCPv6 Decline Number of received bridged messages sent by a client to a server to indicate that the assigned address is already in use.





Dropped Messages

This table describes the dropped message statistics.

DHCPv6 Reconfigure Number of received bridged messages sent by a server to a client to indicate that the server has new or updated configuration settings. The client then sends either a Renew or Information-Request message.

DHCPv6 Relay Forward Number of received bridged messages sent by a relay agent to forward a message to a server. Contains a client message encapsulated as the DHCPv6 Relay-Message option.

DHCPv6 Relay Reply Number of received bridged messages sent by a server to send a message to a client through a relay agent. Contains a server message encapsulated as the DHCPv6 Relay-Message option.



Table 2-29 Dropped Message Statistics


NDP RS Drop (Router Solicitation) Number of messages dropped that are originated by the hosts to request a router to send a Router Advertisement.

NDP RA Drop (Router Advertisement) Number of messages dropped that are originated by the routers to advertise their presence and link-specific parameters such as link prefixes, link MTU, and hop limits. These messages are sent periodically and also in response to Router Solicitation messages.

NDP NS Drop (Neighbor Solicitation) Number of messages dropped that are originated by the nodes to request another node's link layer address and also for functions such as duplicate address detection and neighbor unreachability detection.

NDP NA Drop (Neighbor Advertisement) Number of messages dropped in response to Neighbor Solicitation messages. If a node changes its link-layer address, it can send an unsolicited Neighbor Advertisement to advertise the new address.

DHCPv6 Solicitation Number of messages dropped that are sent by a client to locate DHCPv6 servers.

DHCPv6 Advertisement Number of messages dropped that are sent by a DHCPv6 server in response to a DHCPv6 Solicitation message to indicate availability.



NDSUPRRESS Drop Counters

This table describes the NDSUPRESS drop counter statistics.

SNOOPING Drop Counters

This table describes the SNOOPING drop counter statistics.

DHCPv6 Reply Number of messages dropped that are sent by a DHCPv6 server to a client in response to a Solicit, Request, Renew, Rebind, Information-Request, Confirm, Release, or Decline message.

DHCPv6 Inform Number of messages dropped that are sent by a client to request configuration settings (but not addresses).

Table 2-29 Dropped Message Statistics


Table 2-30 NDSUPRESS Drop Counter Statistics


total Total number of NDSUPRESS dropped messages.

silent Number of silently dropped messages.

ns_in_out Number of Neighbor Solicitation (NS) owner messages on the input interface.

ns_dad Number of NS Duplicate Address Detection (DAD) messages suppressed.

unicast Number of NS unicast messages suppressed.

multicast Number of NS multicast messages suppressed.

internal Number of internal failure messages.

Table 2-31 SNOOPING Drop Counter Statistics


Dropped Messages Name of the dropped messages.

total Total number of dropped messages.

silent Number of silently dropped messages.

internal Number of internal failure messages.

CGA_vfy Number of messages where Cryptographically Generated Address (CGA) option is not getting verified.

RSA_vfy Number of messages where RSA signature is not getting verified.

limit Number of messages in which the address limit is reached.



CacheMiss Statistics

This table describes the CacheMiss statistics.

Click Clear Count to set all IPv6 Neighbor Bind Counter statistics to zero.

PMIPv6 LMA StatisticsChoose MONITOR > Statistics > PMIPv6 LMA Statistics to navigate to the PMIPv6 LMA Statistics page.

This page enables you to view the statistics of all the LMA (Local Mobility Anchor) that the controller is connected to. This table describes the LMA statistics.

.

martian Number of Martian packets.

A Martian packet is an IP packet which specifies a source or destination address that is reserved for special-use by Internet Assigned Numbers Authority (IANA) and cannot actually originate as claimed or be delivered. Martian packets commonly arise from IP address spoofing in denial-of-service attacks, but can also arise from network equipment malfunction or misconfiguration of a host.

martian_mac Number of Martian MAC packets.

no_trust Number of packets marked for detection of policy and collision.

not_auth Number of packets that are not authorized on port.

stop Number of packets that are accepted, but not forwarded.

Table 2-31 SNOOPING Drop Counter Statistics


Table 2-32 CacheMiss Statistics


Multicast NS Forwarded Total number of NS-forwarded multicast messages.

Multicast NS Dropped Total number of NS-dropped multicast messages.

Table 2-33 LMA Statistics


LMA Name Name of the LMA.

Total Bindings Total number of binding updates sent to the LMA by the controller.



Preferred ModeChoose MONITOR > Statistics > Preferred Mode to navigate to the Preferred Mode Statistics page.

This page enables you to view the details of the APs on which the IP config (Global/ AP Group) has been configured.

.

PBU Sent Total number of Proxy Binding Updates (PBUs) sent to the LMA by the controller.

PBU is a request message sent by the Mobile Access Gateway (MAG) to a mobile node’s LMA for establishing a binding between the mobile node’s interface and its current care-of address (Proxy-CoA).

PBA Received Total number of Proxy Binding Acknowledgements (PBAs) received by the controller for the LMA.

PBA is a reply message sent by an LMA in response to a PBU message that it received from a MAG.

PBRI Sent Total number of Proxy Binding Revocation Indications (PBRIs) sent by the controller to the LMA.

PBRI Received Total number of PBRIs received from the LMA by the controller.

PBRA Sent Total number of Proxy Binding Revocation Acknowledgements (PBRAs) sent by the controller to the LMA.

PBRA Received Total number of PBRAs received from the LMA by the controller.

Number of Handoff Number of handoffs between the controller and the LMA.

PBU Dropped Number of PBUs dropped between the controller and the LMA.

Table 2-33 LMA Statistics


Table 2-34 Preferred Mode Statistics


Prefer Mode of Global/AP Groups The name of the AP that is configured with either IPv4, IPv6 or global.

Total The total count of APs configured with preferred mode.

Success Counts the number of times the AP was successfully configured with the preferred mode.

Unsupported The number of APs that are not supported with the controller.


Chapter 2 Monitor Tab Cisco Discovery Protocol

Cisco Discovery ProtocolChoose MONITOR > CDP to navigate to the CDP page. From here, you can choose the following:

• MONITOR > CDP > Interface Neighbors to view a list of all CDP neighbors on all interfaces.

See CDP Interface Neighbors for more information.

• MONITOR > CDP > AP Neighbors to view a all access points with CDP neighbors.

See CDP AP Neighbors for more information.

• MONITOR > CDP > Traffic Metrics to display CDP traffic information.

See CDP Traffic Metrics for more information.

CDP Interface NeighborsChoose MONITOR > CDP > Interface Neighbors to navigate to the CDP Interface Neighbors page.

This page enables you to view a list of all Cisco Discovery Protocol neighbors on all interfaces.

This table describes the CDP interface neighbor parameters.

Already Configured Counts the attempts made to configure an already configured AP.

Per AP Group Configured Preferred mode configured on per AP group

Failure Counts the number of times the AP was failed to get configured with the preferred mode.

Table 2-34 Preferred Mode Statistics


Table 2-35 CDP Interface Neighbor Parameters


Local Interface Local interface name.

Neighbor Name Name of each CDP neighbor.

Neighbor Address IPv4 or IPv6 address of the CDP neighbor.

Neighbor Port IP address of each CDP neighbor.

TTL Time left (in seconds) before each CDP neighbor entry expires.



Click the neighbor name to view the CDP Neighbors Details page.

CDP Interface Neighbors DetailsChoose MONITOR > CDP > Interface Neighbors, and then click the neighbor name for the desired interface to view the CDP Interface Neighbors Details page. This page enables you to view detailed information about the Cisco Discovery Protocol neighbor of each interface.

This table describes the CDP neighbor details.

.

Capability Functional capability of each CDP neighbor:

• R—Router

• T—Trans Bridge

• B—Source Route Bridge

• S—Switch

• H—Host

• I—IGMP

• r—Repeater

• M—Remotely Managed Device

Platform CDP neighbor device platform.

Table 2-35 CDP Interface Neighbor Parameters


Table 2-36 CDP Neighbor Detail Parameters


Local Interface controller port on which the CDP packets were received.

Neighbor Name Name of the CDP neighbor.

Neighbor Address IPv4 or IPv6 address of the CDP neighbor.

Neighbor Port Port used by the CDP neighbor for transmitting CDP packets.

Duplex Duplex type of the CDP neighbor.

Advt Version CDP version being advertised (v1 or v2).

TTL Time left (in seconds) before the CDP neighbor entry expires.



CDP AP NeighborsChoose MONITOR > CDP > AP Neighbors to navigate to the AP Neighbors page. This page enables you to view a list of all access points with CDP neighbors.

This table describes the CDP AP neighbor details.

Click CDP Neighbors to view the CDP neighbors for the access points that are connected to the controller in the CDP Neighbors page.

CDP NeighborsChoose MONITOR > CDP > AP Neighbors and then click CDP Neighbors for an access point to navigate to the CDP Neighbors page. This page enables you to view the CDP neighbors for the access points that are connected to the controller.

This table describes the AP neighbor parameters.

Capability Functional capability of the CDP neighbor:

• Router

• Trans Bridge

• Source Route Bridge

• Switch

• Host

• IGMP

• Repeater

• Remotely Managed Device

Platform Hardware platform of the CDP neighbor device.

Software Version Software running on the CDP neighbor.

Table 2-36 CDP Neighbor Detail Parameters


Table 2-37 CDP AP Neighbor Details


AP Name Access point name.

CDP Neighbors CDP neighbor name.

Table 2-38 AP Neighbor Parameters



AP IP Address IP address of the access point.

Neighbor Name Name of the neighbor.



CDP Neighbors DetailsChoose MONITOR > CDP > AP Neighbors, and then click the access point name for the desired access point and view the CDP AP Neighbors Details page. This page enables you to view to see more detailed information about an access point’s CDP neighbor.

The following AP neighbor details are displayed:

• AP Name—The name of the access point

• Basic Radio MAC—The MAC address of the access point’s radio

• AP IP Address—The IP address of the access point

• Local Interface—The interface on which the CDP packets were received

• Neighbor Name—The name of the CDP neighbor

• Neighbor Address—The IPv4 and IPv6 address of the CDP neighbor

• Neighbor Port—The port used by the CDP neighbor

• Advt Version—The CDP version being advertised (v1 or v2)

• TTL—The time left (in seconds) before the CDP neighbor entry expires

• Capability—The functional capability of the CDP neighbor:

– Router

– Trans Bridge

– Source Route Bridge

– Switch

– Host

– IGMP

– Repeater

– Remotely Managed Device

• Platform—The hardware platform of the CDP neighbor device

• Software Version—The software running on the CDP neighbor

CDP Traffic MetricsChoose MONITOR > CDP > Traffic Metrics to navigate to the CDP Traffic Metrics page. This page displays CDP traffic information.

This table describes the CDP traffic metrics parameters.

Neighbor Address IP address of the neighbor.

Neighbor Port Port number of the neighbor.

Advt Version Advertised CDP version (v1 or v2).

Table 2-38 AP Neighbor Parameters



Chapter 2 Monitor Tab Rogues

RoguesChoose MONITOR > Rogues to navigate to the Rogues page. From here, you can choose the following:

• MONITOR > Rogues > Friendly APs to view rogue access points that are classified as Friendly.

See Friendly Rogue APs for more information.

• MONITOR > Rogues > Malicious APs to view rogue access points that are classified as Malicious.

See Malicious Rogue APs for more information.

• MONITOR > Rogues > Custom APs to view rogue access points that are classified as Custom.

See Custom Rogue APs for more information.

• MONITOR > Rogues > Unclassified APs to view rogue access points that are unclassified.

See Unclassified Rogue APs for more information.

• MONITOR > Rogues > Rogue Clients to view information about rogue clients that are detected.

See Rogue Clients for more information.

• MONITOR > Rogues > Adhoc Rogues to view information about ad-hoc rogue clients that are detected.

See Adhoc Rogues for more information.

• MONITOR > Rogues > Rogue AP ignore-lists to view the MAC addresses of access points that are configured to be ignored.

See Rogue AP Ignore-list for more information.

Friendly Rogue APsChoose MONITOR > Rogues > Friendly APs to navigate to the Friendly Rogue APs page.

This page displays rogue access points that are classified as Friendly.

This table describes the friendly rogue access point parameters.

Table 2-39 CDP Traffic Metrics


Packets In Number of CDP packets received by the controller.

Packet Out Number of CDP packets sent from the controller.

Checksum Errors Number of packets that experienced a checksum error.

No Memory Errors Number of packets dropped due to insufficient memory.

Invalid Packets Number of invalid packets.



This page reports rogue access points until the “Expiration Timeout for Rogue AP Entries” (set on the Friendly Rogues page) expires.

The MAC address links in on this page take you to the respective Rogue AP Detail page when selected.

To remove rogue access points from the list, select the check boxes that correspond to the access point and click Remove Selected.

To remove all access points, select the check box in the table header row and access points are automatically selected. Click Remove Selected.

Malicious Rogue APsChoose MONITOR > Rogues > Malicious APs to navigate to the Malicious Rogue APs page.

This page displays the rogue access points that are classified as Malicious. This page reports rogue access points until the “Expiration Timeout for Rogue AP Entries” (set on the Friendly Rogues page) expires.

The MAC address links in the rogue access point radios table take you to the respective Rogue AP Detail page when selected.

To remove a rogue access point from the list, click the blue arrow adjacent the desired rogue access point and choose Remove.

This table describes the malicious rogue access point parameters.

Table 2-40 Friendly Rogue Access Point Parameters


MAC Address MAC address of the rogue access point.

SSID SSID that is broadcast by the rogue access point radio.

Channel Channel number of the access point that has detected this friendly rogue access point.

# Detecting Radios Number of Cisco Radios that detect the rogue access point radio.

Number of Clients Number of clients associated with the rogue access point.

Status Automatic and configurable state of this radio relative to the network or controller. The status of rogue access point radios is one of the following:

• Internal—The unknown access point is inside the network and poses no threat to WLAN security. For example, the access points in your lab network is an internal rogue access point.

• External—The unknown access point is outside the network and poses no threat to WLAN security. For example, the access points belonging to a neighboring coffee shop are external rogue access points.

• Alert—The unknown access point is not in the neighbor list or in the user-configured friendly MAC list.




To move the Malicious rogue APs that are being contained or were contained back to Alert state, click Move to Alert button on the respective pages.

To remove all access points, select the check box in the table header row. All access points are automatically selected. Click Remove Selected.

Custom Rogue APsChoose MONITOR > Rogues > Custom APs to navigate to the Custom Rogue APs page.

This page displays rogue access points that are classified as Custom.

This table describes the custom rogue access point parameters.

Table 2-41 Malicious Rogue Access Point Parameters



SSID SSID being broadcast by the rogue access point radio.

Channel Channel number of the access point that has detected this rogue access point.



Status Automatic and configurable state of the radio relative to the network or controller. The status of rogue access point radios is one of the following:


• Threat—The unknown access point is found to be on the network and poses a threat to WLAN security.

• Contained—The unknown access point is contained.

• Containment Pending—The unknown access point is marked “Contained,” but the action is delayed due to unavailable resources.

Table 2-42 Custom Rogue Access Point Parameters



SSID SSID that is broadcast by the rogue access point radio.

Channel Channel number of the access point that has detected this friendly rogue access point.




This page reports rogue access points until the Expiration Timeout for Rogue AP Entries (set on the Friendly Rogues page) expires.

The MAC address links in on this page take you to the respective Rogue AP Detail page when selected.


To remove all access points, select the check box in the table header row and access points are automatically selected. Click Remove Selected.

Unclassified Rogue APsChoose MONITOR > Rogues > Unclassified APs or MONITOR > Summary and click Active Rogue APs under the Rogue Summary section to navigate to the Unclassified Rogue APs page.

This page reports rogue access points until the expiration timeout for rogue AP entries (set on the Friendly Rogues page) expires. The MAC address links in the rogue access point radios table take you to the respective Rogue AP Detail page when selected.

To remove a rogue access point from the list, click the blue arrow adjacent the desired rogue access point and choose Remove.

This page displays rogue access points that did not match the Malicious or Friendly rules.

This table describes the rogue access point radio parameters.



• Internal—The unknown access point is inside the network and poses no threat to WLAN security. For example, the access points in your lab network is an internal rogue access point.

• External—The unknown access point is outside the network and poses no threat to WLAN security. For example, the access points belonging to a neighboring coffee shop are external rogue access points.


Table 2-42 Custom Rogue Access Point Parameters


Table 2-43 Rogue Access Point Radio Parameters




Channel Channel number of the access point that has detected this unclassified rogue access point.





To move the Malicious rogue APs that are being contained or were contained back to Alert state, click Move to Alert button on the respective pages.

To remove all access points, select the check box in the table header row. All access points are automatically selected. Click Remove Selected.

Rogue AP DetailChoose MONITOR > Summary, click Detail in the Active Rogue APs row of the Rogue Summary section, and then click the MAC address of the AP to navigate to the Rogue AP Detail page.

This page displays the access point details of the unauthorized or unknown radio. This table describes the new rule parameters.

Rogue Access Point Radio Details

This table describes the rogue access point radio details.



• Pending—On first detection, the unknown access point is put in the “Pending” state for 3 minutes. During this time, the managed access points determine if the unknown access point is a neighbor access point.


• Contained—The unknown access point is contained.

• Containment Pending—The unknown access point is marked “Contained,” but the action is delayed due to unavailable resources.

Table 2-43 Rogue Access Point Radio Parameters


Table 2-44 Rogue Access Point Radio Details



Type Rogue access point type:

• AP—Infrastructure access point

• Ad Hoc—Client-to-Client

Is Rogue on Wired Network?

Yes or No. Unknown if WEP is enabled, as shown below on this page.

First Time Reported On Date and time that the radio was first scanned by the controller.

Last Time Reported On Date and time that the radio was last scanned by the controller.



Classification Change By Classification of the rogue access point either manually, by default, or by rogue rule.

Class Type Class of this radio as follows:

• Friendly—An unknown access point that matches the user-defined friendly rules or an existing known and acknowledged rogue access point. Friendly access points cannot be contained.

• Malicious—An unknown access point that matches the user-defined malicious rules or is moved manually by the user from the “Friendly” or “Unclassified” classification type.

Note Once an access point is classified as “Malicious,” you cannot apply rules to it in the future, and it cannot be moved to another classification type. If you want to move a malicious access point to the “Unclassified” classification type, you must delete the access point and allow the controller to reclassify it.

• Unclassified—An unknown access point that does not match the user-defined friendly or malicious rules. An unclassified access point can be contained. It can also be moved to the “Friendly” or “Malicious” classification type automatically in accordance with user-defined rules or manually by the user.

• Custom—An unknown access point that matches the user-defined classification type.

Manually Contained Whether the rogue is manually contained or automatically contained.

State Status of this radio as follows:

• Alert

• Internal

• External

• Contain

• Pending





APs that Detected this Rogue

This table describes the AP parameters.

Update Status1 Configurable state of this rogue access point in the controller. You may set the status to one of the following:

• Internal—The controller trusts this rogue access point. This option is available if the Class Type is set to Friendly.

• External—The controller acknowledges the presence of this rogue access point. This option is available if the Class Type is set to Friendly.

• Contain—The controller contains the offending device so that its signals no longer interfere with authorized clients. This option is available if the Class Type is set to Malicious or Unclassified.

• Alert—The controller forwards an immediate alert to the system administrator for further action. This option is available if the Class Type is set to Malicious or Unclassified.

Maximum number of APs to contain this rogue

Maximum number of access points used to contain this rogue (1, 2, 3, or 4).

1. Do not attempt to contain rogue access points operated by other establishments, such as the cafe hotspot across the street.



Table 2-45 APs that Detected this Rogue


Base Radio MAC MAC address of the Cisco access point that identified the rogue access point radio.

AP Name Name of the Cisco access point that identified the rogue access point radio.


Channel Channel the rogue access point is broadcasting on.

Channel Width (Mhz) Channel bandwidth: 20 MHz or 40 MHz.

Radio Type Protocol of the rogue access point that is either 802.11a, 802.11b, 802.11g, or 802.11n.

WEP Whether WEP is enabled or disabled.

WPA Type of security protocol is Enabled or Disabled.

Pre-Amble Preamble type of the AP that detected this rogue.



Clients Associated with this Rogue AP

This table describes the client parameters.

Note Beginning in controller Release 7.4 and later, you can view details of up to 256 clients for a rogue AP.

Click Apply to send data to the controller, but the data is not preserved across a power cycle; these parameters are stored temporarily in volatile RAM.

Rogue ClientsChoose MONITOR > Rogues > Rogue Clients or MONITOR > Summary and click Detail in the Active Rogue Clients row of the Rogue Summary section to view the Rogue Clients page. This page displays information about rogue clients that are detected.

This table describes the rogue client parameters.

RSSI Receive signal strength indicator (RSSI) of rogue access point radio at the access point.

If RSSI indicates –80 dBm or lower, the rogue access point is far away or transmitting at a low signal strength.

If RSSI indicates –60 dBm or higher, the rogue access point is close and/or transmitting at a high signal strength.

SNR Signal to noise ratio (SNR) of rogue access point radio at the access point.

Containment Type Contained if the rogue access point clients have been contained at Level 1 through Level 4 under Update Status Maximum Number; otherwise this field is blank.

Containment Channel Current channel or channels if the rogue access point clients have been contained at Level 1 through Level 4 under Update Status; otherwise this field is blank.

Table 2-45 APs that Detected this Rogue


Table 2-46 Clients Associated with this Rogue AP


MAC Address MAC address of the rogue client.

Last Time Heard Last time the Cisco access point detected the rogue access point client.



Click the MAC address on this page to go to the Rogue Client Details page.

Rogue Client DetailsChoose MONITOR > Rogues > Rogue Clients and then click the MAC address link to navigate to the Rogue Client Details page.

This page displays details of unauthorized clients.

Rogue Client Details

This table describes the rogue client details.

Table 2-47 Rogue Client Parameters



AP MAC Address MAC address of the Cisco access point.

SSID Service Set Identifier being broadcast by the rogue client.

# Detecting Radios Number of Cisco radios detecting the rogue client.

Last Seen On Last time that the Cisco access point detected the rogue access point client.

Status Configurable state of this radio relative to the network or controller:

• Contain—The controller contains the offending device so that its signals no longer interfere with authorized clients.

• Alert—The controller forwards an immediate alert to the system administrator for further action.

Wired Whether the client is on a wired network or not.

Table 2-48 Rogue Client Detail Parameters



APs MAC Address MAC address of the Cisco access point that identified the rogue access point radio.

Radio Type


IP Address IPv4 or IPv6 address of the rogue client or Unknown.

First Time Reported On Date and time that the radio was first scanned by the controller.

Last Time Reported On Date and time that the radio was last scanned by the controller.



APs that Detected this Rogue Client



Click Ping to send a ping to a network element.

Adhoc RoguesChoose MONITOR > Rogues > Adhoc Rogues or MONITOR > Summary and click Detail in the Adhoc Rogues row of the Rogue Summary section to navigate to the Adhoc Rogues page. You can see details of friendly, malicious, custom, and unclassified ad-hoc rogues in separate pages.

State Status of this radio is as follows:

• Contain

• Alert




1. Do not attempt to contain rogue access points operated by other establishments, such as the cafe hotspot across the street!

Table 2-48 Rogue Client Detail Parameters


Table 2-49 APs Detected Rogue Clients Parameters


Base Radio MAC MAC of the access point.

AP Name Access points that identified the rogue access point radio.

Channel Channel that the access point is broadcasting on.

Radio Type Protocol of the rogue access point is either 802.11a, 802.11b, 802.11g, 802.11n, or Unknown.

RSSI Receive signal strength indicator (RSSI) of access point radio at the access point.

–80 dBm or lower, the rogue access point is far away or transmitting at a low signal strength.

–60 dBm or higher, the rogue access point is close and/or transmitting at a high signal strength).

SNR Signal to noise ratio (SNR) of the access point.



This table describes the adhoc rogue parameters.

Click the MAC address on this page to go to the Adhoc Rogue Details page.

Adhoc Rogue DetailsChoose MONITOR > Rogues > Adhoc Rogues and click the MAC address link in the ad-hoc rogue table to navigate to the Adhoc Rogues Details page.

This page displays details about ad-hoc rogue access points.

Adhoc Rogues

This table describes the adhoc rogues details.

Table 2-50 Adhoc Rogues Parameters



BSSID MAC address of the Cisco access point.

SSID SSID that is broadcast by the rogue client.

# Detecting Radios Number of Cisco Radios that detect the rogue client.

Status Status of this radio as follows:



• Internal—The controller trusts this rogue access point.

• External—The controller acknowledges the presence of this rogue access point.

Table 2-51 Adhoc Rogues Details Parameters


MAC Address MAC address of the ad-hoc rogue.

BSSID BSSID of the ad-hoc rogue.

First Time Reported On Date and time that the rogue was first scanned by the controller.

Last Time Reported On Date and time that the rogue was last scanned by the controller.

Classification Change By Classification of the rogue access point either manually, by default, or by rogue rule.

Classified by AP MAC address of the access point that classified the rogue access point.

Classified RSSI RSSI of the rogue access point.

Rule Name Name of the custom rogue rule.



Severity Score Custom classification severity score for the rogue rule. The range is from 1 to 100.

State Change By Cause of the state change of the rogue access point.

Class Type Classification type of the rogue access point. It can be one of the following:

• Friendly—An unknown access point that matches the user-defined friendly rules or an existing known and acknowledged rogue access point. Friendly access points cannot be contained.

• Malicious—An unknown access point that matches the user-defined malicious rules or is moved manually by the user from the “Friendly” or “Unclassified” classification type.

Note Once an access point is classified as “Malicious,” you cannot apply rules to it in the future, and it cannot be moved to another classification type. If you want to move a malicious access point to the “Unclassified” classification type, you must delete the access point and allow the controller to reclassify it.

• Unclassified—An unknown access point that does not match the user-defined friendly or malicious rules. An unclassified access point can be contained. It can also be moved to the “Friendly” or “Malicious” classification type automatically in accordance with user-defined rules or manually by the user.

• Custom—An unknown access point that matches the user-defined classification type.

State Current state of this rogue access point in the controller. It can be one of the following:

• Internal—The controller trusts this rogue access point. This option is available if the Class Type is set to Friendly.

• External—The controller acknowledges the presence of this rogue access point. This option is available if the Class Type is set to Friendly.

• Contain—The controller contains the offending device so that its signals no longer interfere with authorized clients. This option is available if the Class Type is set to Malicious or Unclassified.

• Alert—The controller forwards an immediate alert to the system administrator for further action. This option is available if the Class Type is set to Malicious or Unclassified.





APs that Detected this Rogue






• Internal—The controller trusts this rogue access point.

• External—The controller acknowledges the presence of this rogue access point.

Maximum number of APs to contain this rogue

Maximum number of access points used to contain this rogue (1, 2, 3, or 4).

1. Do not attempt to contain rogue access points operated by other establishments, such as the cafe hotspot across the street!



Table 2-52 AP Detected Rogue Parameters


Base Radio MAC MAC of the access point.

AP Name Access points that identified the access point radio.

SSID SSID of the access point.

Channel Channel on which the rogue access point is broadcasting.

Radio Type Protocol of the rogue access point that is either 802.11a, 802.11b, 802.11g, 802.11n, or Unknown.

WEP Whether WEP is enabled on the access point.

WPA Whether WPA is enabled on the access point.

Pre-Amble Preamble type of either Long or Short.

RSSI RSSI of the access point.

SNR Signal to noise ratio (SNR) of the access point at the Cisco access point.

Containment Type Type of containment.

Containment Channels Channels on which the access point contained the ad-hoc rogue.


Chapter 2 Monitor Tab Redundancy

Rogue AP Ignore-listChoose MONITOR > Rogues > Rogue AP ignore-list to navigate to the Rogue AP Ignore-listpage.

This page shows the MAC addresses of any access points that are configured to be ignored.

The rogue-ignore list contains a list of any autonomous access points that have been manually added to Prime Infrastructure (PI) maps by PI users. The controller regards these autonomous access points as rogues even though Prime Infrastructure is managing them. The rogue-ignore list allows the controller to ignore these access points. The list is updated as follows:

• When the controller receives a rogue report, it checks to see if the unknown access point is in the rogue-ignore access point list.

• If the unknown access point is in the rogue-ignore list, the controller ignores this access point and continues to process other rogue access points.

• If the unknown access point is not in the rogue-ignore list, the controller sends a trap to PI . If PI finds this access point in its autonomous access point list, PI sends a command to the controller to add this access point to the rogue-ignore list. This access point is then ignored in future rogue reports.

• If you remove an autonomous access point from the PI, the PI sends a command to the controller to remove this access point from the rogue-ignore list.

RedundancyChoose MONITOR > Redundancy to view the information about redundancy. The available options are as follows:

• To view redundancy statistics, choose MONITOR > Redundancy > Statistics.

See Redundancy Statistics more information.

• To view redundancy peer statistics, choose MONITOR > Redundancy > Peer Statistics.

See

• To view the redundancy summary, choose MONITOR > Redundancy > Summary.

See Redundancy Summary more information.

Redundancy StatisticsChoose MONITOR > Redundancy > Statistics to navigate to the Redundancy Statistics page.

This page displays information about the redundancy statistics.

Note You can view the redundancy statistics only if the SSO mode is enabled.

This table describes the redundancy statistics.



Table 2-53 Redundancy Statistics


Category Drop down box from which you can select one of the following category:

• All

• Infra

• Transport

• Keepalive

• GW-Reachability

• Config-Sync

• None

RF Client Brief Displays the RF Clients list.

Sanity Counters

Sanity Messages successfully sent

Displays the number of Sanity messages i.e. health check messages sent from this box.

Sanity Messages failed to send

Displays the number of Sanity messages failed to send from the controller.

Sanity Messages received from peer

Displays the number of Sanity messages received from the Peer WLC.

Transport Counters

Number of messages in the hold Queue

Displays information about number of IPC messages in queue.

Application message Max Size

Displays information about number of IPC messages in queue.

IPC message Max Size Displays maximum supported MTU size IPC messages.

Time to hold IPC messages

Displays maximum time to hold the IPC messages if the IPC buffer is not full.

IPC sequence number in the TX side

Displays IPC sequence number in the transmitter window.

IPC sequence number in the RX side

Displays IPC sequence number in the receiver window.

IPC sequence number mismatches (Low)

Displays low watermark of IPC sequence number mismatches.

IPC sequence number mismatches (high)

Displays high watermark of IPC sequence number mismatches.

Keepalive Counters

Keep Alive Request Received

Displays the number of Keep Alive request received from the peer through RP.

Keep Alive Responses Received

Displays the number of Keep Alive response received from the peer through RP.

Keep Alive Request Sent Displays the number of Keep Alive Requests sent to peer.



Keep Alive Response Sent

Displays the number of Keep Alive Responses sent from the controller.

Keep Alive Requests failed to send

Displays the number of Keep Alive Requests failed to send from the controller.

Keep Alive Responses to failed to send

Displays the number of Keep Alive Responses failed to send from the controller.

Number of times two Keep alives are lost consecutively

Displays the number of times 2 keepalives are lost consecutively. i.e twice did not get the response for keep alive requests.

Network Latencies (RTT) for the Peer Reachability in microsec

Peer Reachability Latency

Displays the latency between peers through RMI.

Gx Reachability

Gw Pings Succesfully sent

Displays the number of Pings successfully sent to Gateway from the controller.

Gw Pings Failed to send Displays the number of Pings failed to send to Gateway from the controller.

Gw Responses Received Displays the number of Pings successfully received from the Gateway to the controller.

Current consecutive Gw Responses Lost

Displays the number of consecutive GW responses lost i.e number of consecutive responses not received.

High Water Mark of Gw Responses Lost

Displays the highest consecutive GW responses lost to the controller.

Network Latencies (RTT) for the Management Gateway Reachability in microsec

Gateway Reachability Latency

Displays the latency between the controller and the GW.

Ping Request and Response

Ping Requests sent to Peer

Displays the number of ping requests sent to peer through RMI.

Ping Response received from Peer

Displays the number of ping responses received from the peer through RMI.

Config Sync Counter

Usmdb Functions sent for Sync

Displays the total number of Usmdb functions sent for Sync to Standby

Failed sync for Usmdb Sync

Displays the total number of Usmdb functions failed to send for Sync to Standby.

UsmDbs which failed to sync from Active to Standby

Index Displays the index of UsmDb failed to sync.

Failed UsmDb Displays the information about the UsmDb that is failed to sync to standby.

Port Information





Peer StatisticsChoose MONITOR > Redundancy > Peer Statistics to navigate to the Peer Statistics page.

The CPU and memory statistics of all the threads of the standby WLC are synchronized with the active controller every 10 seconds. This information is displayed when you query for the peer statistics on the active WLC.

This page displays the following information:

• Peer-System statistics

• Peer-Process CPU statistics

• Peer-Process Memory statistics

Redundancy SummaryChoose MONITOR > Redundancy > Summary to navigate to the Redundancy Summary page.

This page displays information about the Redundancy Facilitator states on the active and peer unit in the redundancy mode and the switch of activity (swact).

This table describes the Redundancy Facilitator parameters.

Local Physical Ports Indicate the ports that are operationally up in the controller.

Peer Physical Ports Indicate the ports that are operationally up in the peer controller.



Table 2-54 Redundancy Facilitator Summary


Local State Current state of the Redundancy Facilitator of the controller. It can be Active, Standby HOT, or Standby COLD.

Peer State Current state of the Redundancy Facilitator of the peer controller. It can be Active, or Standby HOT, or Standby COLD.

Unit Type of controller that can be primary or secondary.

Unit ID Unique ID of the redundant unit. It can be the MAC address of the controller.

Redundancy State Redundancy mode operational on the controller. The redundancy modes are as follows:

• 0—No redundancy

• SSO—Hot Standby Mode

• RPR—Cold Standby Mode



Redundancy DetailChoose MONITOR > Redundancy > Detail to navigate to the Redundancy details page.

This table describes the Redundancy detail parameters.

Maintenance Mode Maintenance mode that can be enabled or disabled. Indicates if the redundant units can communicate synch messages with each other.

If the controllers cannot reach each other through the redundant port or through the Redundant Management Interface, the standby controller goes into the maintenance mode.

Maintenance Cause Cause of the switchover to the maintenance mode.

Average Redundancy Peer Reachability Latency

Average delay to reach the peer controller in seconds.

Average Management Gateway Reachability Latency

Average delay to reach the management gateway in seconds.

BulkSync Status Indicates whether the bulk sync is completed once the Standby boots up and moves to STANDBY HOT state. This can be:

• In-Progress

• Pending and

• Complete

Table 2-54 Redundancy Facilitator Summary (continued)


Table 2-55 Redundancy Detail Parameters


Redundancy Management This is the IP address of Redundancy Management Interface of the controller.

Peer Redundancy Management

This is the IP address of the Redundancy Management Address of the Peer controller.

Redundancy port IP This is the IP address of the Redundancy Port of the controller.

Peer Redundancy port IP This is the IP address of the Redundancy Port of the Peer controller.

Peer Service Port IP This is the IP address of the Service port of the Peer controller.

Switchover History Table

Previous Active Information about controller that was previously Active before Switchover. This will have the RMI IP of previous Active.

Current Active Information about controller that was currently Active after Switchover. This will have the RMI IP of current Active.

Switchover Reason Information about the switchover reason whether it is User initiated, GW not reachable or Active Failed.

Switchover Time Information about when the switchover has happened.


Chapter 2 Monitor Tab Clients

ClientsChoose MONITOR > Clients or MONITOR > Summary and click Detail in the row that corresponds to Current Clients in the Client Summary section to navigate to the Clients page.

This page displays information about the clients associated with the access points.

Client List Filter

You can create a filter to display the client list by MAC address or a combination of access point name, WLAN profile name, status, radio type, workgroup bridge (WGB), or PMIP.

Note When you enable the MAC address filter, other filter options are disabled.

When you enable the AP name, WLAN profile name, status, radio type, or workgroup bridge (WGB) filter, the MAC address filter is disabled.


Click Change Filter to display the Search Clients dialog box (see the following figure) and to create or change filter parameters. Click Show All to remove the filter and display the entire client list.

• MAC Address—MAC address that you enter as 6 two-digit hexadecimal numbers separated by colons (for example, 01:23:45:67:89:AB).

• IP Address—IP address of the client.


• User Name—Username associated with the client.

• WLAN Profile—WLAN profile name. You can select a WLAN profile by selecting one of the configured WLANs on your wireless network.

• WLAN SSID—SSID of the WLAN that the client is associated with.

• Status—One or more status types: Associated, Authenticated, Excluded, Idle.

• Radio Type—802.11a, 802.11b, 802.11g, 802.11an, 802.11bn, Mobile radio type.

Redundancy Timeout Values

Keep Alive TimeOut Information about the timeout the controller can wait for Keep Alive responses before considering keep alive is lost.

Peer Search TimeOut Information about the timeout the controller can wait for peer search responses before considering peer is not reachable.

Network Routes Peer

Number of Routes Total number of Network Routes this controller holds.

IP Address IP address of target network/IP address.

IP Netmask IP network mask information of the routes of this controller.

Gateway IP Address Information about the next hop gateway for this route.

Table 2-55 Redundancy Detail Parameters (continued)




• WGB—WGB wired clients that are associated with the access points.

• Apply—Filter settings.

Client Information Table

This table displays a list of all clients attached to the controller. Client information includes the following:

• Client MAC Addr—MAC address of the client.


• AP Name—Name of the access point.

• WLAN Profile—Name of the WLAN used by the client.

• WLAN SSID—SSID of the WLAN that the client is associated with.

• User Name—Username associated with the client.

• Protocol—Remote LAN clients that shows Ethernet as the protocol.

• Status—Status of the client connection.

• Auth—Authorization status.

• Port—Port number of the client’s associated access point.

• Slot ID—Slot number of the interface that can be from 0 to 3 that the client is connected to.

• PMIPv6—Whether the client is a PMIP client.

• WGB—Workgroup bridge (WGB) status.

A workgroup bridge is a mode that can be configured on an autonomous Cisco IOS access point to provide wireless connectivity to a lightweight access point on behalf of clients that are connected by Ethernet to the WGB access point.

• Device Type—Type of client device.

Click the blue arrow adjacent the desired client and choose one of the following:

• Show Wired Clients—Shows details of any wired clients that are connected to a particular WGB on the WGB Wired Clients topic. (This option is available if the client is a WGB.)

• LinkTest—Tests the link to the client, reports the client MAC address, and reports the number of test packets sent and received, the local signal strength, and the local signal to noise ratio. The LinkTest does not work for IPsec links and may not work for some clients.

• Disable—Manually disables a client on the Adding Disabled Clients page.

• Remove—Dissociates the client.

• 802.11aTSM or 802.11b/gTSM—Displays Traffic Stream Metrics for these radios.

Click the MAC address of the desired client to display the Client Details page.

Client DetailsChoose MONITOR > Clients and then click the client MAC address to navigate to the Client Details page.

This page displays the details of the client’s session and the AVC statistics. Information is displayed for both the client and its associated access point.



The different properties under General tab are as follows:

• Client Properties

• Security Information

• Quality of Service Properties

• Client Statistics

• Client Rate Limiting Statistics

• PMIP Properties

• AP Properties

You can view the top 10 applications used by the client in the AVC Statistics tab. Client statistics are only collected for the first 128 applications classified in 90 seconds.

Client Properties

This table describes the client properties.

Table 2-56 Client Properties Parameters


MAC Address MAC address of the client.

IPv4 Address List of IPv4 address of the clients.

IPv6 Address List the IPv6 address of the clients.

Client Type Regular, WGB, WGB client, or Unknown type.

Number of Wired Client(s)

Number of wired clients that are connected to this WGB if the client type is WGB.

User Name Login client name from RADIUS or controller authentication.

Port Number Controller port used for the client’s associated access point.

Interface User-defined name for this interface; for example, management, service-port, virtual.

VLAN ID VLAN tag identifier, or 0 for no VLAN tag.

CCX Version Cisco Client Extensions (CCX) version in use, if supported.

If the client supports Cisco Client Extensions version 5, two additional button are displayed:

• Send CCXV5 Request

• Display

See the Client Reporting page for more information about Cisco Client Extensions version 5 client reporting.

E2E Version End-to-End version in use, if supported.



Security Information

This table describes the security information parameters.

Mobility Role Local when the client has not roamed from its original controller or when the client has roamed to another controller on the same subnet.

Foreign when the client has roamed from its original controller to another controller on a different subnet.

Anchor when the client has roamed back to its original controller after roaming to another controller on a different subnet.

Mobility Peer IP Address N/A when the client is Local (has not roamed from its original subnet).

Anchor IP address (the IP address of the original controller) when the client is Foreign (has roamed to another controller on a different subnet).

Foreign IP address (the IP address of the original controller) when the client is Anchor (has roamed back to another controller on a different subnet).

Policy Manager State DHCP_REQD when a DHCP server is required to complete the security policy.

8021X_REQD when 802.1X is the required policy.

Other messages to be determined.

Management Frame Protection

Management frame protection (MFP) provides security for the unprotected and unencrypted 802.11 management messages passed between access points and clients. MFP provides both infrastructure and client support.

UpTime (Sec) Time in seconds since the client has been up.

Power Save Mode Power save mode of the client.

Current TxRateSet Current transmission rate.

Data RateSet Data rate for the client.

KTS CAC Capability KTS-based CAC capability of the client.

802.11u Hotspot is a solution that enables 802.1X capable clients to interwork with external networks. This feature provides service availability information to clients and can help them to associate available networks.

Table 2-56 Client Properties Parameters




Table 2-57 Security Information Parameters


Security Policy Completed

No (when the security policy checks have not been completed) or Yes (when the security policy checks have been completed).

Auth Key Mgmt Type of Authenticated Key Management that can be one of the following:

• 802.1X

• CCKM

• PSK

• 802.1X+CCKM

EAP Type –

SNMP NAC State Current state of the client: Quarantine, Access, or Invalid.

RADIUS NAC State Current state of the client in the RADIUS NAC-enabled WLAN. When a client is associated to the controller on a RADIUS NAC-enabled WLAN, the controller forwards the request to the ISE server. The state of the client can be DHCP_REQD or POSTURE_REQD.

CTS Security Group Tag Cisco TrustSec Security Group Tag information.

AAA Override ACL Name

Name of the AAA Override ACL. This ACL is in addition to the VLAN ACL that is applied to the VLAN on the Ethernet interface.

If a client gets an AAA Override of the VLAN, the client is placed on the overridden VLAN and the ACL on the VLAN applies to the client. To support centralized access control through an AAA server, such as ISE or ACS, an ACL must be configured on the controller and the WLAN must be configured with the AAA override-enabled feature.

AAA Override ACL Applied Status

Status of the client that indicates if the client has been authenticated after the application of an AAA Override ACL.

AAA Override Flex ACL Name of the IPv4 ACL that is the FlexConnect ACL for clients connected to FlexConnect access points.

AAA Override Flex ACL Applied Status

Status of the client that indicates if the client has been authenticated after the application of the AAA Override FlexConnect ACL.

Redirect URL Redirect URL that the client should be directed to after authentication.

IPv4 ACL Name Name of the IPv4 ACL.

IPv4 ACL Applied Status Status of whether the IPv4 ACL was applied to the client’s WLAN.

IPv6 ACL Name Name of the IPv6 ACL.

IPv6 ACL Applied Status Status of whether the IPv6 ACL was applied to the client’s WLAN.

mDNS Profile Name mDNS profile associated with the service that the client is using.

mDNS Service Advertisement Count

Count of the mDNS service advertisements that the client received for a requested service.

AAA Role Type Role of the user.

Local Policy Applied Policy applied to the client device.



Quality of Service Properties

This table describes the QoS parameters.

Client Statistics

This table describes the client statistics parameters.

Table 2-58 Quality of Service Parameters


WMM State WMM state that you enable or disable.

Wi-Fi Multimedia (WMM) is a QoS protocol and a subset of 802.11e standard. WMM technology identifies packets of voice, video, audio or other types of data and prioritizes their delivery based on traffic conditions. Videos transmitted over wireless networks suffer greatly if packets are delayed or dropped. So video data is given priority over other types of data on a network.

QoS Level Quality of Service level that you set on the Editing QoS Profile page:

• Platinum (Voice)—Assures a high QoS for Voice over Wireless.

• Gold (Video)—Supports the high-quality video applications.

• Silver (Best Effort)—Supports the normal bandwidth for clients.

• Bronze (Background)— Provides lowest bandwidth for guest services.

VoIP clients should be set to Platinum, Gold or Silver, while low-bandwidth clients can be set to Bronze.

Diff Serv Code Point (DSCP)

Prioritization of packets by the 6 bits in the DSCP that you set on the Editing QoS Profile page.

802.1P Tag VLAN tag (1-7) received from the client, defining the access priority. This tag maps to the QoS Level for client-to-network packets. You set this tag on the Editing QoS Profile page.

Average Data Rate Operator-defined average data rate for non-UDP traffic that you set on the Editing QoS Profile page.

Average Real-Time Rate Operator-defined average data rate for UDP traffic that you set on the Editing QoS Profile page.

Burst Data Rate Operator-defined peak data rate for non-UDP traffic that you set on the Editing QoS Profile page.

Burst Real-Time Rate Operator-defined peak data rate for UDP traffic that you set on the Editing QoS Profile page.

Table 2-59 Client Statistics Parameters


Bytes Received Number of bytes received by the controller from the client.

Bytes Sent Number of bytes sent to the client from the controller.

Packets Received Number of packets received by the controller from the client.



Client Rate Limiting Statistics

This table describes the client rate limiting statistics.

Packets Sent Number of packets sent to the client from the controller.

Policy Errors Number of policy errors for the client.

RSSI Receive signal strength indicator of the client RF session.

SNR Signal to Noise Ratio of the client.

Sample Time Time that the client statistics snapshot was taken.

Excessive Retries Number of excessive retries before the access point looks for another controller.

Retries Number of retries before the access point finds a controller.

Success Count Counter increments when a CTS is received in response to an RTS.

Fail Count Modem failure count.

Tx Filtered Number of filtered error frames.

Data Retries Number of data retries by the client.

RTS Retries Number of request-to-send retries by the client.

Duplicates Number of duplicate packets received.

Decrypt Failed Number of decrypt packets that failed.

Mic Errors Number of packets that have MIC errors.

Mic Missing Frames Number of packets that do not have MIC.

RA Packets Dropped Number of router advertisement packets that are dropped.

Interim Updates Sent Number of times the interim updates were sent.

Table 2-59 Client Statistics Parameters


Table 2-60 Client Rate Limiting Statistics Parameters


Data Bytes Received Number of data bytes received by the controller from the client.

Data Rx Bytes Dropped Number of Rx data bytes dropped by the controller from the client.

Data Rx Packets Dropped Number of Rx packets dropped by the controller from the client.

Real-time Packets Received

Number of real-time packets received by the controller from the client.

Real-time Rx Packets Dropped

Number of Rx real-time packets dropped by the controller from the client.

Real-time Bytes Received Number of real-time bytes received by the controller from the client.

Rx Data Bytes Dropped Number of Rx data bytes dropped by the controller from the client.

Rx Real-time Bytes Dropped

Number of Rx real-time bytes dropped by the controller from the client.

Data Packets Sent Number of packets sent to the client from the controller.



PMIP Properties

This table describes the PMIP properties.

Data Bytes Sent Number of data bytes sent to the client from the controller.

Real-time Bytes Sent Number of real-time bytes sent to the client from the controller.

Tx Data Bytes Dropped Number of Tx data bytes dropped by the controller from the client.

Tx Real-time Bytes Dropped

Number of Tx real-time bytes dropped by the controller from the client.

Data Packets Received Number of data packets received by the controller from the client.

Real-time Packets Sent Number of real-time packets sent to the client from the controller.

Real-time Tx Packets Dropped

Number of Tx real-time packets dropped by the controller from the client.

Tx Data Packets Dropped Number of Tx data packets dropped by the controller from the client.

Tx Real-time Bytes Dropped

Number of Tx real-time packets dropped by the controller from the client.

Table 2-60 Client Rate Limiting Statistics Parameters


Table 2-61 PMIP Properties


Mobility Type Type of PMIP mobility for the client. The type can be None or PMIPv6.

Network Access ID (NAI) Network Access ID of the PMIP profile.

PMIP State State state of the PMIP client. The available states are as follows:

• Unknown—Indicates that the state of the client cannot be determined.

• Activated—Indicates that the client is ready to establish a tunnel.

• Tunneled—Indicates that a bidirectional tunnel is established.

Connected Interface Connected interface of the controller.

Home Address Address of the mobile node. The mobile node can use this address if it is attached to the access network that is in the scope of that Proxy Mobile IPv6 domain.



AP Properties

Note The AP Properties table identifies the properties of the access point of the client and of the negotiated session of the client.


Access Technology Type (ATT)

8-bit field that specifies the access technology through which the mobile node is connected to the access link on the Mobile Access Gateway (MAG). The values and the corresponding access technology are as follows:

• 0—Reserved

• 1—Logical Network Interface

• 2—Point-to-Point Protocol

• 3—Ethernet

• 4—Wireless LAN

• 5—WIMAX

• 6—3GPP GSM EDGE Radio Access Network (3GPP GERAN)

• 7—3GPP Universal Terrestrial Radio Access Network(3GPP UTRAN)

• 8—3GPP ETRAN (3GPP Evolutions of the Transport in the UTRAN)

• 9—3GPP2 eHRPD (3GPP2 Evolved High Rate Packet Data)

• 10—3GPP2 HRPD (3GPP2 High Rate Packet Data)

• 11—3GPP2 1xRTT

• 12—3GPP2 UMB (3GPP2 Ultra Mobile Broadband)

Local Link Identifier Local link identifier of the client.

LMA Name Name of the LMA to which the client is connected.

Life Time Duration of the PMIP client association.

Table 2-61 PMIP Properties


Table 2-62 AP Properties Parameters


AP Address MAC address of the access point.


AP Type Access point’s RF type.

AP radio Slot ID Slot ID of the AP radio.

WLAN Profile Name of the WLAN.

Status Status of client from status code (see Status Code below).



Association ID Client’s access point association identification number.

802.11 Authentication Authentication algorithm of client.

Reason Code Client reason code:

• no reason code (0)—Normal operation.

• unspecified reason (1)—The client is associated but no longer authorized.

• previousAuthNotValid (2)—The client is associated but not authorized.

• deauthenticationLeaving (3)—The access point went offline, deauthenticating the client.

• disassociationDueToInactivity (4)—The client session timeout has been exceeded.

• disassociationAPBusy (5)—The access point is busy (performing load balancing, for example).

• class2FrameFromNonAuthStation (6)—The client attempted to transfer data before it was authenticated.

• class2FrameFromNonAssStation (7)—The client attempted to transfer data before it was associated.

• disassociationStaHasLeft (8)—The operating system moved the client to another access point using nonaggressive load balancing.

• staReqAssociationWithoutAuth (9)—The client has not been authorized yet; the client has been attempting to associate with access point.

• missingReasonCode (99)—The client was momentarily in an unknown state.

Status Code Client status code:

• idle (0)—Normal operation: no rejections of client association requests.

• aaaPending (1)—The client is completing an AAA transaction.

• authenticated (2)—802.11 authentication is completed.

• associated (3)—802.11 association is completed.

• powersave (4)—The client is in powersave mode.

• disassociated (5)—802.11 disassociation is completed.

• tobedeleted (6)—To be deleted after disassociation.

• probing (7)—The client has not been associated or authorized yet.

• disabled (8)—The client has automatically been disabled by the Operating System for an operator-defined time.

CF Pollable Whether the client is able to respond to a CF-Poll with a data frame within a SIFS time. This attribute is not implemented if the STA is not able to respond to a CF-Poll with a data frame within a SIFS time.





AVC Statistics

You can view the last 90 seconds and the cumulative statistics of the top 10 applications used by the client as a pie chart. Each application appears with the corresponding usage percentage. The applications are color coded for clarity. You can also view details of the applications such as packet count, byte count, and average packet size. Client statistics are only collected for the first 128 applications classified in 90 seconds. You can see upstream and downstream AVC statistics for the client.

This section describes the following command buttons:

• Click Apply to send data to the controller, but the data is not preserved across a power cycle; these parameters are stored temporarily in volatile RAM.

• Click Link Test to use the built-in test circuitry to test the link between the client and the controller, reports the client MAC address, and reports the number of test packets sent and received, the local signal strength, and the local signal to noise ratio. LinkTest does not work for IPsec links and may not work for some clients.

• Click Remove to disconnect the client. If the client supports Cisco Client Extensions version 5, two additional buttons are displayed:

– Click Send CCXV5 Request send the report request to the client.

– Click Display to open the Client Reporting page.

WGB Wired ClientsThe WGB Wired Clients page displays information about the WGB wired clients that are associated with the access points.

Note The WGB supports a maximum of 20 wired clients. If you have more than 20 wired clients, use a bridge or another device.

CF Poll Request Whether CFP is requested by the client.

Short Preamble Attribute, when true, that indicates that the short preamble option as defined in subclause 18.2.2.2 is implemented. This parameter must be disabled to optimize this controller for some clients, including SpectraLink NetLink Telephones.

PBCC Attribute, when true, that indicates that the PBCC modulation option as defined in subclause 18.4.6.6 is implemented. The default value of this attribute is not implemented.

Channel Agility Physical channel agility functionality that is or is not implemented.

Timeout Client Session timeout (maximum amount of time before a client is forced to reauthenticate).

WEP State WEP security state of the client.

Data Switching Whether the client's data traffic is local or centrally switched. It shows up only for FlexConnect associated clients.





Client Information Table

This table displays a list of all clients attached to the controller. Client information includes the following:

• WGB MAC address

• MAC address of the client

• Name of the access point to which client is attached

• Name of WLAN used by the client

• Type of client (802.11a, 802.11b, 802.11g, or 802.11n)

• Status of the client connection

• Authorization status

• Port number of the client’s associated access point

Click the blue arrow adjacent the desired client and choose one of the following:

• LinkTest—Indicates that the Link Test is not supported for WGB-wired clients.

• Disable—Manually disables a client on the Adding Disabled Clients page.

• Remove—Dissociates the client.

• 802.11aTSM or 802.11b/gTSM—Displays Traffic Stream Metrics for these radios.

Click the MAC address of the desired client to display the Client Details page.

Traffic Stream Metrics CollectionChoose MONITOR > Clients and click 802aTSM or 802b/gTSM to navigate to the Traffic Stream Metrics Collection page.

Traffic stream metrics (TSM) involves collecting of uplink statistics and downlink statistics between an access point and a CCX v4 client and then propagating these statistics periodically back to the controller. If the client is not CCXv4 compliant, then only the downlink statistics are captured. You configure traffic stream metrics collection on a per-interface band basis (such as all 802.11a/n radios). The controller saves this option in flash memory so that it persists across reboots. Once an access point receives this message, it enables the traffic metrics collection on the specified interface type.

Every 5 seconds, the access point gets a measurement report for both the uplink (client side) and downlink (local side) measurements. The aggregation of 5-second reports and preparation of 90-second reports are done at the access point. Every 90 seconds, the access point prepares an IAPP data packet and sends it to the controller for further processing. The controller stores the data in its structures and then provides “usmdB” access ChooseAPIs to the CLI module and the PI for displaying it on the UI.

Four variables are affected by the WLAN that can affect audio quality:

• Packet latency

• Packet jitter

• Packet loss

• Roaming time

You can isolate the problem of bad voice quality by studying these variables. The traffic stream metrics feature addresses the voice quality issue by providing statistics for each of these four variables.


Chapter 2 Monitor Tab Sleeping Clients

Client ReportingThe Client Reporting page displays details about the client and wireless network adapter.

This table describes the client reporting parameters.

Note This group displays the available capabilities, not current settings.

Profile DetailsThe Profile Details page displays the details about the selected profile on the wireless network adapter.

Sleeping ClientsChoose MONITOR > Sleeping Clients to navigate to the Sleeping Clients page. This page displays details about the sleeping clients that are managed by the WLANs configured in the controller.

This table describes the sleeping clients parameters.

Table 2-63 Client Reporting Parameters


Client Profile Displays all the available configuration profiles as well as the current profile in use on the wireless network adaptor. Click a profile name to display the Profile Details page.

Operating Parameters Displays various operating settings that the client is currently using.

Manufacturer’s Information Displays all the static manufacturer-specific data about the client and wireless network adapter.

Client Capability Displays the range of capabilities that are available on the wireless network adapter.

Table 2-64 Sleeping Clients Parameters


Client MAC MAC address of the client.

WLAN SSID SSID of the WLAN that the client is associated with.

User Name Username associated with the client.

Remaining Time Time, in hours and minutes, after the idle timeout of the sleeping client.


Chapter 2 Monitor Tab Multicast Groups

Multicast GroupsChoose MONITOR > Multicast to navigate to the Multicast page.

This page displays the details of the Layer 3 and Layer 2 multicast groups and their corresponding multicast group IDs (MGIDs).

Click the link for a specific MGID to see a list of all the clients joined to the multicast group in that particular MGID.

Layer 3 MGID Mapping

This table describes the Layer 3 MGID parameters.

Layer 2 MGID Mapping

This table describes the Layer 2 MGID parameters.

ApplicationsChoose MONITOR > Applications to navigate to the Applications page.

This page displays details of the WLANs that have Application Visibility and Control (AVC) profiles configured on them. Click the WLAN ID to navigate to the WLANs > Application Statistics page. Only WLANS on local mode access points or centrally switched on a FlexConnect access point are capable of having applications recognized by NBAR.

You can view the last 90 seconds and the cumulative statistics of the top 10 applications as a pie chart. Each application appears with the corresponding usage percentage. The applications are color coded for clarity. You can also view details of the applications such as packet count, byte count, and average packet size.

Table 2-65 Layer 3 MGID Parameters


Group address Layer 3 MGID group address.

VLAN Layer 3 MGID group VLAN.

MGID Layer 3 MGID.

IGMP/MLD Internet Group Management Protocol (IGMP) snooping that is used to limit the flooding of multicast traffic for IPv4. For IPv6, Multicast Listener Discovery (MLD) snooping is used.

Table 2-66 Layer 2 MGID Parameters


Interface name Layer 2 MGID interface name.

VLAN ID Layer 2 MGID VLAN ID.

MGID Layer 2 multicast group ID.


Chapter 2 Monitor Tab Lync

Lync

Active CallsChoose MONITOR > Lync > Active Calls to navigate to Lync Active Calls page. This page shows the following call details:

• ID

• Call Type

• Caller User ID

• Caller IP Address (IPv4/IPv6)

• Caller MAC Address

• Caller AP Name

• Callee User ID

• Callee IP Address (IPv4/IPv6)

• Callee MAC Address

• Callee AP Name

History CallsChoose MONITOR > Lync > History Calls to navigate to Lync History Calls page. This page shows the following call details:

• ID

• Call Type

• Caller IP

• Caller MAC Address

• Callee IP

• Callee MAC Address

• Status

• Duration

• MOS

• Jitter

Local ProfilingThis page shows the following information:

• Device Stats

• Device Type and Count

• Manufacturer Stats


Chapter 2 Monitor Tab Local Profiling

• Manufacturer Type and Count


C H A P T E R 3
WLANs Tab
The WLAN tab on the menu bar enables you to create, configure, and delete wireless local area networks (WLANs) on your Cisco WLC. Use the left navigation pane to access specific WLAN parameters.

You can access the following pages from the WLANs tab:

• WLANs

• AP Groups

When you choose WLANs and click the blue arrow adjacent the profile, you can access the following options:

• Deleting WLANs

• Mobility Anchors

• 802.11u

• HotSpot 2.0

• Foreign Maps

• Service Advertisement

WLANsClick WLANs to navigate to the WLANs page.

This page shows a summary of the wireless local area networks (WLANs) that you have configured on your network. From this page, you can add, remove, enable, disable, or edit WLANs.

Note The total number of WLANs appears in the upper right corner of the page. If the list of WLANs spans multiple pages, you can access these pages by clicking the page number links.

The Cisco UWN (Unified Wireless Network) solution can control up to 512 WLANs for lightweight access points. Each WLAN has a separate WLAN ID (1 through 512), a separate profile name, and a WLAN SSID (Service Set IDentifier), and it can be assigned with unique security policies. All Cisco WLCs publish up to 16 WLANs to each connected access point, but you can create up to 512 WLANs and then selectively publish these WLANs (using access point groups) to different access points to better manage your wireless network.


Chapter 3 WLANs Tab WLANs

Note All OfficeExtend access points should be in the same access point group, and that group should contain no more than 15 WLANs. A Cisco WLC with OfficeExtend access points in an access point group publishes up to 15 WLANs to each connected OfficeExtend access point because it reserves one WLAN for the personal SSID, but for Cisco OEAP 600, this is not applicable.

Note The Cisco OEAP 600 Series access point supports only two WLANs and one RLAN, and the WLAN ID must be from 1 to 8.

You can associate up to 16 WLANs with each access point group and assign specific access points to each group. Each access point advertises only the enabled WLANs that belong to its access point group. The access point does not advertise disabled WLANs in its access point group or WLANs that belong to another group. See the AP Groups page for more information on access point groups.

WLAN List FilterClick the Change Filter link to display the Search WLANs dialog box to create or change filter parameters. Click Clear Filter to remove the filter and display the entire WLAN list.

You can create a filter to display the list of WLANs by profile name, SSID, status, or a combination of SSID and status.


Note When you enable the Profile Name filter, other filter options are disabled. When you enable the SSID or the Status filter, the Profile Name filter is disabled.

The Search WLANs dialog box enables you to search configured WLANs based on the following filters:

• Profile Name—Select the Profile Name check box and enter a profile name.

• SSID—Select the SSID check box and enter an SSID.

• Status—Select the Status check box and choose Enabled or Disabled.

• Find—Click Find to search for the WLAN based on the filter parameters.

WLAN Information TableClick WLANs from the left navigation menu to view the WLAN page. The WLANs page displays a summary of the configured WLANs.

This table describes the WLAN parameters.

Table 3-1 WLANs Summary


WLAN ID ID of the WLAN.

Type Type of LAN: WLAN, Guest LAN, or Remote LAN.

Profile Name Profile name of the WLAN.



Click the WLAN ID to modify the selected WLAN characteristics. The Editing WLANs page appears.

To view mobility anchor settings, click the blue arrow adjacent the profile and choose Mobility Anchors.

To enable or disable a WLAN from the WLANs page, select the check box to the left of the WLAN or WLANs, choose Enable Selected or Disable Selected from the drop-down list, and click Go.

To delete a WLAN, do one of the following:

• Click the blue arrow adjacent the profile and choose Remove. You are prompted to confirm the removal of the selected WLAN.

• Select the check box for the WLAN or WLANs, choose Remove Selected from the drop-down list, and select Go. You are prompted to confirm the removal of the selected WLAN.

• Click Go to select an option from the drop-down list.

Creating New WLANsTo configure a new WLAN for a wired guest LAN, choose Create New from the drop-down list and click Go to navigate to the New WLAN page.

This table describes the WLAN > New parameters.

WLAN SSID Definable name of the WLAN (text string).

Admin Status Status of the WLAN is either enabled or disabled.

Security Policies Security policies enabled on the WLAN.

Table 3-1 WLANs Summary


Table 3-2 WLAN > New Parameters


Type Type of WLAN: Guest WLAN, WLAN, or Remote LAN.

Note Cisco 2504 Controllers does not support wired guest services.

Profile Name Profile name of the WLAN.



Creating a WLAN

Step 1 Choose a WLAN type (Guest LAN, WLAN, or Remote LAN) from the drop-down list.

Note The WLANs that are not assigned to the access points are denoted with an asterisk (*) symbol.

Note To connect wired clients to a corporate network via an Office Extended AP, choose Remote LAN from the WLAN Type drop-down list. Once a user creates a remote LAN, it shows up on the list page as a distinct WLAN type.

Note Remote LANs should be removed from a Cisco WLC’s configuration before moving to a code base that does not support the remote LAN functionality. The remote LAN is called a WLAN in releases earlier than Cisco WLC Release 7.0.116.0, which may cause an undesirable or unsecured WLAN being broadcast on the wireless network. Remote LANs are supported only in Cisco WLC Release 7.0.116.0 and later.

Step 2 Enter a profile name for the WLAN in the Profile Name text box.

Step 3 Enter a text name for the WLAN in the WLAN SSID text box. (This is the SSID broadcast name for the WLAN.)

Note The SSID field is not available for Guest LANs and Remote LANs.

SSID SSID field is displayed if you choose WLAN from the Type drop-down list. Definable name of the WLAN (text string). This is the SSID broadcast name for the WLAN.

ID ID number for the WLAN.

Guest LAN—Enter guest LAN identifier between 1 and 5.

WLAN—Enter WLAN identifier between 1 and 512. If there is more than one two WLANs enabled for an AP group, disable all WLANs and then enable only two of them.

Remote LAN—Enter remote LAN identifier between 1 and 512. If there is more than one remote LAN enabled for an AP group, disable all remote LANs and then enable only one of them.

Note If the Cisco OEAP 600 is in the default group, the WLAN/Remote LAN IDs must be set as less than ID 8.

Table 3-2 WLAN > New Parameters




Step 4 Choose the ID number for the WLAN from the WLAN ID drop-down list.

Step 5 Click Apply to bring up the Editing WLANs page, where you can continue configuring the WLAN.

Once created, the selected WLAN type shows up in the list page as a distinct WLAN type: guest LAN, WLAN, or remote WLAN.

Click Apply to send data to the Cisco WLC, but the data is not preserved across a power cycle; these parameters are stored temporarily in volatile RAM.

Creating a Remote LAN

This section describes configuring remote LANs.

Caution You must remove all the remote LANs from the configuration of the Cisco WLC before moving to a release that does not support the remote LAN functionality. The remote LAN is called a WLAN in releases earlier than Cisco WLC Release 7.0.116.0, which may cause an undesirable or unsecured WLAN being broadcast on the wireless network. Remote LANs are supported only in Cisco WLC 7.0.116.0 and later .

Note Only four clients can connect to an OEAP 600 series access point through a remote LAN port. This number does not affect the fifteen limit imposed for the Cisco WLC WLANs. The Remote LAN client limit supports connecting a switch or hub to the Remote LAN port for multiple devices or connecting directly to a Cisco IP phone that is connected to that port. Only the first four devices will be able to connect until one of the devices is idle for more than one minute.

Step 1 Choose WLANs to open the WLANs page.

This page lists all of the WLANs and remote LANs currently configured on the Cisco WLC. For each WLAN, you can see its WLAN/Remote LAN ID, profile name, type, SSID, status, and security policies.

The total number of WLANs appears in the upper right-hand corner of the page. If the list of WLANs spans multiple pages, you can access these pages by clicking the page number links.

Note If you want to delete a WLAN, click the blue arrow adjacent the WLAN and choose Remove, or select the check box to the left of the WLAN, choose Remove Selected from the drop-down list, and click Go. A message appears asking you to confirm your decision. If you proceed, the WLAN is removed from any access point group to which it is assigned and from the access point’s radio.

Step 2 Create a new WLAN by choosing Create New from the drop-down list and clicking Go. The WLANs > New page appears.

Step 3 From the Type drop-down list, choose Remote LAN to create a remote LAN.

Step 4 In the Profile Name text box, enter up to 32 alphanumeric characters for the profile name to be assigned to this WLAN. The profile name must be unique.

Step 5 From the WLAN ID drop-down list, choose the ID number for this WLAN.

Step 6 Click Apply to commit your changes. The WLANs > Edit page appears.



Note You can also open the WLANs > Edit page from the WLANs page by clicking the ID number of the WLAN that you want to edit.

Step 7 Use the parameters on the General, Security, and Advanced tabs to configure this remote LAN. See the sections in the rest of this chapter for instructions on configuring specific features.

Step 8 On the General tab, select the Status check box to enable this remote LAN. Be sure to leave it unselected until you have finished making configuration changes to the remote LAN.

Note You can also enable or disable remote LANs from the WLANs page by selecting the check boxes to the left of the IDs that you want to enable or disable, choosing Enable Selected or Disable Selected from the drop-down list, and clicking Go.

Step 9 Click Apply to commit your changes.

Step 10 Click Save Configuration to save your changes.

Editing WLANsTo edit your WLAN settings, choose WLANs and click the Profile name to navigate to the WLANs > Edit page. For new WLANs, create a new WLAN as described in Creating New WLANs page, and then click Apply to navigate to this page.

This page enables you to edit the configurable parameters for a WLAN.

The WLAN > Edit page consists of the following four tabs:

• General

• Security

• QoS

• Policy-Mapping

• Advanced

General Tab

This table describes the General tab parameters.

Table 3-3 General Tab Parameters


Profile Name Configured profile name of the WLAN.

Type Type of LAN that is configured in the WLANs > New page: WLAN, Guest LAN, or Remote LAN.

SSID SSID of the WLAN.

Status WLAN that you want to enable or disable. The default is enabled.



Security Tab

The Security tab consists of three tabs:

• Layer 2 Tab Parameters

• Layer 3 Tab (for WLAN) Parameters or Layer 3 Tab (for Guest LAN and Remote LAN) Parameters

• AAA Servers Tab Parameters

Security Policies Security policies for a WLAN that you set from the Security tab.

Note This field appears when you choose WLAN as the Type in the WLANs > New page.

Radio Policy WLAN radio policy to apply to All (802.11a/b/g), 802.11a only, 802.11g only, 802.11b/g only, or 802.11a/g only. This setting requires that the selected bands be enabled on the 802.11a/n/ac Global Parameters and 802.11a/n/ac Client Roaming pages.

Note This field appears only when you choose WLAN as the Type in the WLANs > New page.

Interface/Interface Group (G)

Limited to the nonservice port and nonvirtual interface names configured on the Interfaces page.

Note This field appears only when you choose WLAN as the Type in the WLANs > New page.

Multicast Vlan Feature

Check box that you can select to enable the multicast VLAN feature. The default option is none.

Note The Multicast Interface field appears only after you enable the Multicast VLAN feature text box.

Note You have to configure the multicast VLAN feature only once if you want to use the multicast feature.

Broadcast SSID Service Set Identifier for this WLAN.

Ingress Interface Guest LAN’s ingress interface. By default, None is selected.

Note This field is available only for guest LANs.

Egress Interface Remote LAN’s or guest LAN’s egress interface. By default, management is selected.

Note This field is available only for remote LANs and guest LANs.

NAS-ID Network Access Server identifier. The NAS-ID is sent to the RADIUS server by the controller (as a RADIUS client) using the authentication request, which is used to classify users to different groups. You can enter up to 32 alphanumeric characters.

Beginning in Release 7.4 and later releases, you can configure the NAS-ID on the interface, WLAN, or an access point group. The order of priority is AP Group NAS-ID > WLAN NAS-ID > Interface NAS-ID.





Important Limitations and Guidelines:

• CCX is not supported on the Cisco OEAP 600 access points and all elements related to CCX are not supported.

• Layer 2 security is not supported on guest LANs.

• Only the following options are supported for Cisco OEAP 600 Series access points: None, WPA+WPA2, Static WEP, and 802.1X (only for remote LANs).

• Beginning in Release 7.4 and later releases, the controller performs both web authentication (WebAuth) and 802.1X authentication in the same WLAN. The clients are initially authenticated with 802.1X. After a successful authentication, the client must provide the WebAuth credentials. After a successful WebAuth authentication, the client is moved to the run state.

– 802.1x authentication can be performed using AAA or a local database.

• For auto-anchored guest WLANs, the guidelines are as follows:

– Only the anchor controller must have both dot1x and WebAuth configured.

– Both anchor and foreign controller must be configured for dot1x.

This table describes the Layer 2 tab parameters.

Table 3-4 Layer 2 Tab Parameters


Layer 2 Security None No Layer 2 security selected.

WPA+WPA2 Wi-Fi Protected Access.

For information on these settings, see the Layer 2 WPA + WPA2 Parameters topic.

802.1X WEP 802.1X data encryption type.

For information on these settings, see the Layer 2 802.1X Parameters topic.

Static WEP Static WEP encryption parameters.

For information on these settings, see the Layer 2 Static WEP Parameters topic.

Static WEP + 802.1X

Both Static WEP and 802.1X parameters.

For information on these settings, see the Layer 2 Static WEP Parameters and Layer 2 802.1X Parameters topics.

CKIP Cisco Key Integrity Protocol (CKIP). Functional on AP Models 1100, 1130, and 1200, but not AP 1000. Aironet IE needs to be enabled for this feature to work. CKIP expands the encryption keys to 16 bytes.

For information on these settings, see the Layer 2 CKIP Parameters topic.

None + EAP Passthrough

Both None and Extensible Authentication Protocol Passthrough parameters.

If EAP-Passthrough on the WLAN is enabled, the WLAN might be exposed to security attacks on the network.



This table describes the Layer 2 WPA + WPA2 parameters.

MAC Filtering MAC address filtering. You can locally configure clients by their MAC addresses in the Adding MAC Filters page. Otherwise, configure the clients on a RADIUS server.

Mac Auth or Dot1x

MAC authentication failover to Dot1x authentication for the WLAN. The prerequisites for the failover to work are as follows:

• MAC Filtering must be enabled.

• Layer 2 security must be 802.1X and Static WEP.

The failover does not work with Radius NAC feature.

If MAC authentication is successful and the client sends an EAP start request to start 802.1X authentication, the client must pass 802.1X authentication to send data traffic, or the client is deauthenticated.

When MAC Auth fails, the client authenticates using 802.1X or it is deauthenticated. If MAC Auth passes, then the client authenticates using 802.1X if required (for Static WEP Clients) depending on the client configuration.

Fast Transition

Fast Transition Check box to enable or disable a fast transition between access points.

Over the DS Check box to enable or disable a fast transition over a distributed system.

Reassociation Timeout

Time in seconds after which a fast transition reassociation times out.

Table 3-4 Layer 2 Tab Parameters


Table 3-5 Layer 2 WPA + WPA2 Parameters


Fast Transition

Fast Transition Check box to enable or disable a fast transition between access points.

Over the DS Check box to enable or disable a fast transition over a distributed system.

Re-association Timeout

Time in seconds after which a fast transition reassociation times out.

Protected Management Frame

PMF Drop-down list from which you can choose the following:

• Disabled—Disables 802.11w MFP protection on a WLAN.

• Optional—Enables 802.11w MFP protection on a WLAN.

• Required—Requires clients to negotiate 802.11w MFP protection on a WLAN.

802.11w introduces an Integrity Group Temporal Key (IGTK) that is used to protect broadcast or multicast management frames. IGTK is a random value, assigned by the authenticator station (Cisco WLC) used to protect MAC management protocol data units (MMPDUs) from the source STA. The 802.11w IGTK key is derived using the 4 way handshake and is used only on WLANs configured with WPA or WPA2 security at Layer 2.



Comeback Timer Association comeback interval, in seconds. This is the interval for which an associated client must wait for before the association is tried again after it is denied with the status code 30 message:

Association request rejected temporarily; Try again later.

The range is from 1 to 20. The default value is 1.

SA Query Timeout Security Association (SA) query interval, in ms. The timeout is an interval identified in the association response to an already associated client before the association can be tried again. This time interval checks if the client is a real client and not a rogue client during the association comeback time. If the client does not respond within this time, the client association is deleted from the Cisco WLC.


WPA+WPA2 Parameters

WPA Policy Check box to enable or disable the WPA Policy.

WPA2 Policy Check box to enable or disable the WPA2 Policy.

WPA2 Encryption WPA2 encryption type: TKIP or AES. Available only if the WPA2 Policy is enabled.

Authentication Key Management

802.1x An access point that supports 802.1X acts as the interface between a wireless client and an authentication server, such as a RADIUS server, to which the access point communicates over the wired network. If 802.1X is selected, only 802.1X clients are supported.

CCKM Cisco Centralized Key Management (CCKM) uses a fast rekeying technique that enables clients to roam from one access point to another without going through the controller, typically in under 150 ms.

PSK ASCII or HEX format that you can choose, after which you enter the preshared key.

FT 802.1x Authentication key management for fast transition using 802.1X.

Note You can configure FT 802.1X only if you enable the WPA2 policy.

FT PSK ASCII or HEX format that you can choose, after which you enter the preshared key for fast transition.

Note You can configure FT PSK only if you enable the WPA2 policy.

PMF 802.1x 802.1X authentication for protection of management frames (PMF).

PMF PSK Preshared keys (PSK) for PMF. Select an ASCII or HEX format, and enter the preshared key for fast transition.





This table describes the Layer 2 802.1X parameters.

This table describes the Layer 2 Static WEP parameters.

WPA gtk-randomize State

Drop-down list to enable or disable the WPA group temporal key (GTK) randomize state.

Note For the Cisco OEAP 600 Series access points, do not choose CCKM. Choose either 802.1X or PSK.

Note For the Cisco OEAP 600 Series access point, security encryption settings must be identical for WPA and WPA2 for TKIP and AES.

Note Fast roaming for clients is not supported on the Cisco OEAP 600 Series access points. Dual mode voice clients might experience reduced call quality when they roam between the two spectrum's on the Cisco OEAP 600 Series access point. We recommend that you configure voice devices to only connect on one band, either the 2.4-GHz to 5.0-GHz radio.



Table 3-6 Layer 2 802.1X Parameters


802.11 data encryption WEP 802.11 data encryption type.

Type Security type.

Key size Key size that you can choose:

• None

• 40 bits

• 104 bits

Note The third-party AP WLAN (17) can only be configured with 802.1X encryption. Drop-down configurable 802.1X parameters are not available for this WLAN.

Table 3-7 Layer 2 Static WEP Parameters


802.11 Data Encryption Static WEP encryption type.

Type Security type.


• not set

• 40 bits

• 104 bits

Key Index Key index, from 1 to 4.

Note One unique WEP key index can be applied to each WLAN. Because there are only four WEP key indexes, only four WLANs can be configured for static WEP Layer 2 encryption.



This table describes the Layer 2 CKIP parameters.

This table describes the Layer 3 Tab (for WLAN) parameters.

Encryption Key Encryption key.

Key Format Encryption key format in ASCII or HEX.

Allow Shared Key Authentication

Key authentication that you can enable or disable.

Table 3-7 Layer 2 Static WEP Parameters


Table 3-8 Layer 2 CKIP Parameters


802.11 Data Encryption Current key information.


• not set

• 40 bits

• 104 bits

Key Index Key index, from 1 to 4.

Note One unique WEP key index can be applied to each WLAN. Because there are only four WEP key indexes, only four WLANs can be configured for static WEP Layer 2 encryption.

Encryption Key Encryption key.

Key Format Encryption key format in ASCII or HEX.

MMH Mode Multimodular Hash (MMH) mode that you can enable; the default is enabled.

Key Permutation Key permutation that you can enable or disable. The default is enabled. Key permutation is a data encryption technique that uses the basic encryption key and the current initialization vector (IV) to create a new key.



Table 3-9 Layer 3 Tab (for WLAN) Parameters


Layer 3 Security None Setting that indicates that no Layer 3 security is selected.

IPSec Setting to enable IPsec. Check software availability and client hardware compatibility before implementing IPsec.

Note You must have the optional VPN/Enhanced Security Module (crypto processor card) installed to enable IPsec. Verify that it is installed on your Cisco WLC using the Inventory page.

VPN Pass-Through VPN pass-through that you can enable or disable.

Note This option is not available on Cisco 5500 Series Controllers. However, you can replicate this functionality on the Cisco 5500 Series Controllers by creating an open WLAN using an ACL.

For information on these settings, see Layer 3 VPN Pass-Through Parameters.

Web Policy Check box that you can select to enable Web Policy.

Note The Cisco WLC forwards DNS traffic to and from wireless clients prior to authentication if there is no explicit deny rule for DNS traffic in the Pre-Auth ACL.

Note Web Policy cannot be used with IPsec or VPN pass-through options.

The following parameters are displayed:

• Authentication—Prompts the user for username and password while connecting the client to the wireless network.

• Passthrough—Enables the user to access the network directly without entering the username and password.

• Conditional Web Redirect—Enables the user to be conditionally redirected to a particular web page after 802.1X authentication has completed successfully. You can specify the redirect page and the conditions under which the redirect occurs on your RADIUS server.

• Splash Page Web Redirect—Redirects the user to a particular web page after 802.1X authentication has completed successfully. After the redirect, the user has full access to the network. You can specify the splash web page on your RADIUS server.

• On MAC Filter failure—Enables web authentication MAC filter failures.

Preauthentication ACL

IPv4 or IPv6 ACLs to be used for traffic between the client and the Cisco WLC. Refer to the Access Control Lists topic for more information.



This table describes the Layer 3 Tab (for Guest LAN and Remote LAN) parameters.

WebAuth FlexACL Drop-down list from which you can choose the FlexConnect ACL for external web authentication in locally switched WLANs.

For more information about creating FlexConnect ACLs, see Adding Access Control Lists.

Note The FlexConnect ACLs that are specific to an AP have the highest priority. The FlexConnect ACLs that are specific to WLANs have the lowest priority.

Sleeping Client Check box that you can select to enable support for sleeping clients. This feature is not applicable for remote LANs and guest LANs.

Sleeping Client Timeout

Maximum amount of time after the idle timeout, in hours, before a sleeping client is forced to reauthenticate. The range is from 1 to 720. The default value is 12. This field is enabled only when you select the Sleeping Client check box. Also, the clients need not provide the login credentials when they move from one Cisco WLC to another (if Cisco WLCs are in the same mobility group) between the sleep and wake up times.

Over-ride Global Config

Setting that is displayed if you choose Authentication.

Select this check box to override the global authentication configuration set on the Web Login Page.

Web Auth type Setting that is displayed if you choose Web Policy and Over-ride Global Config.

Type of web authentication:

• Internal

• Customized (Downloaded)

– Login Page—Choose a login page from the drop-down list.

– Login Failure page—Choose a login page that displays to the client if web authentication fails.

– Logout page—Choose a login page that displays to the client when the user logs out of the system.

• External (Redirect to external server)

– URL—Enter the URL of the external server.

Email Input Setting that is displayed if you choose Passthrough.

If you choose this option, you are prompted to specify your e-mail address when you try to connect to the network.

Table 3-9 Layer 3 Tab (for WLAN) Parameters




This table describes the Layer 3 VPN Pass-Through parameters.

This table describes the AAA servers parameters.

Table 3-10 Layer 3 Tab (for Guest LAN and Remote LAN) Parameters


Layer 3 Security None Indicates that no Layer 3 security is selected.

Web authentication Prompts you for your username and password while connecting the client to the network.

Web Passthrough Enables you to access the network directly without entering the username and password.

Preauthentication ACL

IPv4 or IPv6 ACLs to be used for traffic between the client and the Cisco WLC. See the Access Control Lists topic for more information.

Over-ride Global Config

Check box that you enable to override the global authentication configuration set on the Web Login Page.

Web Auth type Setting that is displayed if you selected Over-ride Global Config.

Type of web authentication:

• Internal

• Customized (Downloaded)

– Login Page—Choose a login page from the drop-down list.

– Login Failure page—Choose a login page that displays to the client if web authentication fails.

– Logout page—Choose a login page that displays to the client when the user logs out of the system.

• External (Redirect to external server)

– URL—Enter the URL of the external server.

Email Input Setting that is displayed if you selected Web Passthrough.

If you choose this option, you will be prompted for your e-mail address while connecting to the network.

Table 3-11 Layer 3 VPN Pass-Through Parameters


VPN Gateway Address VPN gateway IPsec pass-through address.



Table 3-12 AAA Servers Tab Parameters


RADIUS Server Overwrite Interface

RADIUS Server Overwrite Interface that you can enable or disable. The default is disabled.

When you enable the RADIUS Server Overwrite Interface, the client authentication request is sent through the dynamic interface that is set on the WLAN. The Cisco WLC sources all RADIUS traffic to a WLAN using the dynamic interface configured on the WLAN.

Note You cannot enable the Radius Server Overwrite Interface when a diagnostic channel is enabled.

RADIUS Server Client Interface

RADIUS Server Client Interface that you can enable or disable on the WLAN. The default is disabled.

When you enable the RADIUS Server Client Interface, the RADIUS server packets pass through the same VLAN as the data traffic of the client.

RADIUS Servers Authentication Servers Accounting Servers

RADIUS server (configured from the RADIUS Authentication Servers page) that you choose from the drop-down lists.

If this server is chosen, it will be the default RADIUS authentication server for the specified WLAN and overrides the RADIUS server that is configured for the network.

You can choose up to three RADIUS servers, which are tried in priority order.

RADIUS accounting server that you can enable or disable. The default is Enabled.

Choose a RADIUS server (configured from the RADIUS Accounting Servers page) from the drop-down lists.

If this server is chosen, it is the default RADIUS accounting server for the specified WLAN and overrides the RADIUS server that is configured for the network.

You can choose up to six RADIUS servers, which are tried in priority order.

RADIUS Server Accounting

If you select the Interim Update check box, the statistical usage information about the client is sent in the interim interval that you specify. By default, the statistical information is sent every 600 seconds (10 minutes).

Note The Interim Update check box can be selected only if you have the RADIUS accounting servers enabled.

LDAP Servers LDAP server (configured from the LDAP Servers page) that you can choose from the drop-down list.

You can choose up to three LDAP servers, which are tried in a priority order.

Local EAP Authentication1 Local EAP authentication that you can enable or disable. The default is disabled.



QoS Tab

Note The Cisco OEAP 600 Series access point does not support CAC. Therefore, we recommend that you do not enable 7920 AP CAC and 7920 Client CAC parameters.

You can override the defined values in the QoS profile when you specify some or all of the rate-limiting parameters in the QoS tab.

This table describes the QoS parameters.

EAP Profile Name1 EAP profile name (configured from the Local EAP Profiles page).

Authentication priority order for web-auth user

Order in which user credentials are retrieved from the back-end database servers.

Highlight the desired database from the left box.

Use the left and right arrows and the Up and Down buttons to move the desired database to the top of the right box.

If you select the RADIUS NAC feature for authentication, the priority for web authentication must only contain RADIUS.

1. This option is not available for guest LANs.

Table 3-12 AAA Servers Tab Parameters


Table 3-13 QoS Tab Parameters


Quality of Service (QoS)

Quality of Service Level, set on the Editing QoS Profile page:

• Platinum (voice)—Assures a high Quality of Service for Voice over Wireless.

• Gold (video)—Supports the high-quality video applications.

• Silver (best effort)—Supports the normal bandwidth for clients.

• Bronze (background)— Supports the lowest bandwidth for guest services.

VoIP clients should be set to Platinum, Gold, or Silver, while low-bandwidth clients can be set to Bronze.

Note Media Session Snooping is supported only for Platinum QoS profiles.

Application Visibility Check box that you can select to view the classification of applications based on the Network Based Application Recognition (NBAR) deep packet inspection technology.

To view all the supported applications, choose WIRELESS > Application Visibility and Control > Applications.

To view all classified applications, choose Monitor > Applications and click the WLAN ID to navigate to the Monitor > Clients page.



AVC Profile Drop-down list from which you can choose an Application Visibility and Control (AVC) profile for the WLAN. To configure a new AVC profile, choose WIRELESS > Application Visibility and Control > Applications and click New.

You can configure only one AVC profile per WLAN and each AVC profile can have up to 32 rules. Each rule states a Mark or a Drop action for one application, which allows you to configure up to 32 application actions per WLAN. You can configure up to 16 AVC profiles on a controller and associate an AVC profile with multiple WLANs. Only WLANS on local mode access points, or centrally switched on FlexConnect access points can have applications recognized by NBAR.

NetFlow Monitor Drop-down list from which you can choose a NetFlow monitor for the WLAN. To configure a new NetFlow monitor, choose WIRELESS > Netflow > Monitor and click New.

Override Per-User Bandwidth Contracts

Note When you set the Per-User Bandwidth Contracts parameters to 0 (OFF), the traffic allowed is unlimited and is restricted by only other 802.11 limitations. The values that you set override the values configured in the QoS profile page.

Average Data Rate User-defined average data rate (kbps) for non-UDP traffic.

The range is from 0 to 60,000; the default is 0 (OFF).

Burst Data Rate User-defined peak data rate (kbps) for non-UDP traffic.

Valid values are from 0 to 60,000; the default is 0 (OFF).

Average Real-Time Rate

User-defined average data rate (kbps) for UDP traffic.


Burst Real-Time Rate User-defined peak data rate (kbps) for UDP traffic.


Override Per-SSID Rate LimitsNote The values that you set override the values configured in the QoS profile page.

Override WLAN QoS Parameters





Average Real-Time Rate

User-defined average data rate (kbps) for UDP traffic.








Policy Mapping Tab

This table describes the policy-mapping parameters.

WMM

WMM Policy1 WMM Policy. Choose one of the following:

• Disabled—Disables this WMM policy.

• Allowed—Allows the clients to communicate with the WLAN.

• Required—Ensures that it is mandatory for the clients to have WMM features enabled on them to communicate with the WLAN.

7920 AP CAC1 Cisco 7920 AP CAC that you can enable or disable. Use this setting if you want the WLAN to support the newer version of the software on your Cisco 7920 phones. In newer versions, the CAC limit is advertised by the access points.

7920 Client CAC1 Cisco 7920 client CAC. Use this setting if you want the WLAN to support the older version of the software on your Cisco 7920 phones. In older versions, the CAC limit is set on the client.

Media Stream

Multicast Direct Check box to enable Multicast Direct on the WLAN.

Lync Policy

• Audio

• Video

• Application-Sharing

• File-Transfer

The following QoS policies can be applied for each of the Lync policies:

• Bronze

• Silver

• Gold

• Platinum

Note WLAN QoS must meet or exceed Lync policy QoS settings in order for Lync priorities to achieve the configured levels.

1. This option is not available for guest LANs and Remote LAN.



Table 3-14 Policy-Mapping Parameters


Priority Index Priority index of the policy configured on the WLAN. The policies are applied to the clients according to the priority index. The range is from 1 to 16.

Local Policy Policy applied on the WLAN. To define new policies, choose Security > Local Policies > New.



Advanced Tab

Caution Do not enable Coverage Hole Detection and Aironet IE for the Cisco OEAP 600 Series access point.

This table describes the advanced parameters.

Table 3-15 Advanced Tab Parameters


Allow AAA Override

AAA Override for global WLAN parameters that you can enable or disable.

When AAA Override is enabled, and a client has conflicting AAA and Cisco WLC WLAN authentication parameters, client authentication is performed by the AAA server. As part of this authentication, the operating system moves clients from the default Cisco WLAN Solution WLAN VLAN to a VLAN returned by the AAA server and predefined in the Cisco WLC interface configuration (only when configured for MAC filtering, 802.1X, and/or WPA operation). In all cases, the operating system also uses QoS, DSCP, 802.1p priority tag values, and ACLs provided by the AAA server, if they are predefined in the Cisco WLC interface configuration. (This VLAN switching by AAA Override is also referred to as Identity Networking.)

If the Corporate WLAN primarily uses a Management Interface assigned to VLAN 2, and if AAA Override returns a redirect to VLAN 100, the operating system redirects all client transmissions to VLAN 100, regardless of the physical port to which VLAN 100 is assigned.

When AAA Override is disabled, all client authentication defaults to the Cisco WLC authentication parameter settings, and authentication is only performed by the AAA server if the Cisco WLC WLAN does not contain any client-specific authentication parameters.

The AAA Override values may come from a RADIUS server, for example.

Note AAA Override is not supported with FlexConnect.

Coverage Hole Detection

Coverage hole detection (CHD) on this WLAN that you can enable or disable.

By default, CHD is enabled on all WLANs on the Cisco WLC. You can disable CHD on a WLAN.

When you disable CHD on a WLAN, a coverage hole alert is still sent to the Cisco WLC, but no other processing is done to mitigate the coverage hole. This feature is useful for guest WLANs where guests are connected to your network for short periods of time and are likely to be highly mobile.

Note For the Cisco OEAP 600 Series access point, do not enable Coverage Hole Detection.

Enable Session Timeout

Session timeout that you can enable or disable. Maximum time in seconds for a client session before requiring reauthorization.

Aironet IE Support of Aironet IEs on a per WLAN basis that you can enable or disable. The default is disabled. This option is not available for guest LANs and remote LANs.

Note For the Cisco OEAP 600 Series access point, do not enable Aironet IE.

Diagnostic Channel

Diagnostic channel support on the WLAN that you can enable or disable. The default is disabled. This option is not available for guest LANs and remote LANs.



Override Interface ACL

Access Control List (ACL) that overrides the ACL configured for the interface on this WLAN. ACLs are configured on the Access Control Lists page.

• IPv4 ACL—Lists the IPv4 ACL that needs to be applied on this WLAN. ACLs are configured on the Access Control Lists page.

• IPv6 ACL—Lists the IPv6 ACL that needs to be applied on this WLAN. ACLs are configured on the Access Control Lists page.

Layer 2 ACL List the layer 2 ACL that needs to be applied to the WLAN. ACLs are configured on the Access Control Lists page.

P2P Blocking Action

Peer-to-peer blocking settings that you can choose.

• Disabled—(Default) Disables peer-to-peer blocking and bridges traffic locally within the Cisco WLC whenever possible.

Note Traffic is never bridged across VLANs in the Cisco WLC.

• Drop—Causes the Cisco WLC to discard the packets.

• Forward-UpStream—Causes the packets to be forwarded on the upstream VLAN. The device above the Cisco WLC decides what action to take regarding the packets.

For FlexConnect local switching WLANs, the settings are as follows:

• Disabled—(Default) Disables peer-to-peer blocking and bridges traffic locally within the AP whenever possible.

• Drop—Causes the AP to discard the packets.

• Forward-UpStream—Causes the AP to discard the packets.

Client Exclusion

Timeout in seconds for disabled client machines that you can enable or disable. Client machines are disabled by their MAC address and their status can be observed on the Client Details page. A timeout setting of 0 indicates that administrative control is required to re-enable the client. The default is enabled and the timeout setting configured as 60 seconds.

Maximum Allowed Clients

Maximum clients allowed per Cisco WLC.

You can set a limit to the number of clients that can connect to a WLAN. This feature is useful in scenarios where you have a limited number of clients that can connect to a Cisco WLC. For example, consider a scenario where the Cisco WLC can server up to 256 clients on a WLAN that can be shared between enterprise users (employees) and guest users. You can set a limit on the number of guest clients that can access a given WLAN. The number of clients that you can configure per WLAN depends on the platform that you are using. The range is from 1 to 200.

The number of clients that you can configure for a specific platform is as follows:

• Cisco 5500 Series Controller—7000

• Cisco 7500 Series Controller—30000

• WiSM2—15000

Note The maximum number of clients per WLAN feature is supported only for access points that are in connected mode.

Note This feature is not supported when you use FlexConnect local authentication and is not applicable for remote and guest LANs.





Static IP Tunneling

Check box that you enable to configure static IP client tunneling support on a WLAN. The following restrictions apply when configuring Static IP tunneling in coordination with other features on the same WLAN:

• Auto anchoring mobility (guest tunneling) cannot be configured for the same WLAN.

• FlexConnect local authentication cannot be configured for the same WLAN.

• DHCP required option cannot be configured for the same WLAN.

Note Dynamic anchoring of static IP clients cannot be configured with FlexConnect local switching.

Wi-Fi Direct Clients Policy

Drop-down list from which you can choose a Wi-Fi Direct Clients Policy for a WLAN.

Devices that are Wi-Fi Direct capable can connect directly to each other quickly and conveniently to do tasks such as printing, synchronization, and sharing of data. Wi-Fi Direct devices may associate with multiple peer-to-peer (P2P) devices and with infrastructure WLANs concurrently. Use the Cisco WLC to configure the Wi-Fi Direct Clients Policy, on a per WLAN basis, where you can allow or disallow the association of Wi-Fi devices with infrastructure WLANs, or disable the Wi-Fi Direct Clients Policy for WLANs.

Note Wi-Fi Direct Clients Policy is applicable to WLANs that have APs in local mode only.

The following options are available:

• Disabled—Disables the Wi-Fi Direct Clients Policy for the WLAN and deauthenticates all Wi-Fi Direct clients

• Allow—Allows Wi-Fi Direct clients to associate with the WLAN

• Not-Allow—Disallows the Wi-Fi Direct clients from associating with the WLAN

Maximum Allowed Clients Per AP Radio

Maximum number of clients that are allowed to connect to an AP.

The maximum number you can configure is 200.

Clear HotSpot Configuration

WLAN HotSpot configuration that you can clear.

Client User Idle Timeout

Timeout for idle client sessions for a WLAN. This value overrides the global timeout value. The range is from 15 to 100000 seconds. The default value is 300 seconds.

Client User Idle Threshold

Threshold data sent by the client during the idle timeout for the client session. If the client send traffic less than the defined threshold, the client is removed on timeout. The range is from 0 bytes to 10 MB. The default value is 0 bytes.

Radius NAI-Realm

Enable this to match any incoming EAP request from clients that contain relam with the realm configured on RADIUS authentication and accounting servers.

Off Channel Scanning Defer

Scan Defer Priority

Assign a defer priority for the channel scan by clicking on the priority argument. The valid range for the priority is 0 to 7. The priority is 0 to 7 (this value should be set to 6 on the client and on the WLAN).

Scan Defer Time (msecs)

Assign the channel scan defer time in milliseconds. The valid range is 100 (default) to 60000 (60 seconds). This setting should match the requirements of the equipment on your wireless LAN.

FlexConnect





FlexConnect Local Switching

FlexConnect local switching that you can enable or disable. Any remote access point that advertises this WLAN, instead of tunneling to the Cisco WLC, can locally switch data packets.

Note In a network architecture where the WLAN is configured in FlexConnect local switching mode, if the client and Cisco WLC are in the same VLAN, a ping action will fail. Ping actions from the client to the Cisco WLC will work if both the client and Cisco WLC are on different VLANs.

Note The FlexConnect Local Switching text box must be enabled to enable local authentication.

FlexConnect Local Auth

FlexConnect local authentication that you can enable or disable.

Learn Client IP Address

Client IP address learning (this option is available when you enable FlexConnect Local Switching) that you can enable or disable.

Note If the client is configured with Fortress Layer 2 encryption, the Cisco WLC cannot learn the client IP address and will periodically drop the client. Disable this option so that the Cisco WLC maintains the client connection without waiting to learn the client IP address.

VLAN based Central Switching

VLAN central switching that you can enable or disable on the WLAN. You must enable FlexConnect local switching and an AAA override on the WLAN.

When you enable VLAN central switching, the access point bridges the traffic locally if the AAA override VLAN for the client is configured on the local IEEE 802.1Q link. If the AAA override VLAN is not configured on the access point, the AP tunnels the traffic back to the Cisco WLC and the Cisco WLC bridges the traffic to the corresponding VLAN.

VLAN central switching does not support:

• FlexConnect Local Authentication

• Layer 3 roaming of local switching client

Central Assoc Check box to maintain the association table centrally on the controller. Disable this check box to maintain the association table locally on the AP.

Lync

Lync Server To enable or disable WLAN Lync SDN service.

11k

Assisted Roaming Prediction Optimization

Check box to enable or disable assisted roaming prediction optimization for the WLAN.

Neighbor List Check box to enable or disable 802.11k neighbor list for the WLAN.

Neighbor List Dual Band

Check box to enable or disable a dual-band 802.11k neighbor list for the WLAN.

DHCP

DHCP Server When Override is selected, you can enter the IPv4 address of a DHCP server to be used by overriding the Primary/Secondary DHCP servers specified within the interface configuration.

Note IPv6 is not supported for DHCP Server override.





DHCP Addr. Assignment (Required)

Requires all WLAN clients to obtain an IP address from the DHCP Server.

Note DHCP address assignment (Required) is not supported for wired Guest LANs.

Note DHCP Server override is applicable only for the default group.

OEAP

Split Tunnel Check box to enable split tunneling on OEAP access points.

Management Frame Protection (MFP)

MFP Client Protection

Disabled, Optional, or Required.

The client MFP will only be active for a session if the client supports Cisco Compatible eXtensions (CCX) MFP, and if WPA2 is negotiated with the client. If Optional is selected, clients that do not negotiate MFP will be allowed to associate. If Required is selected, only clients that successfully negotiate MFP will be allowed to associate.

This option is not available for guest LANs and remote LANs.

Note The Cisco OEAP 600 Series access point does not support MFP.

Note This check box represents the status of the Cisco MFP and not the status of 802.11w, introduced in Release 7.4

DTIM Period (in beacon intervals)

802.11a/n (1 - 255)

Delivery Traffic Indication Map (DTIM) Period. Number of beacon intervals that elapse between the transmission of beacon frames that contain a TIM element whose DTIM Count field is 0. Valid values are from 1 to 255; the default value is 1. This option is not available for guest LANs and remote LANs.802.11b/g/n (1 -

255)

NAC





NAC State Enables SNMP NAC or RADIUS NAC.

• SNMP—Enables SNMP NAC support for the WLAN.

• Radius NAC—Enables RADIUS NAC support for the WLAN.

Cisco Identity Services Engine (ISE) is a next-generation, context-based access control solution that provides the functions of Cisco secure Access Control System (ACS) and Cisco Network Admission Control (NAC) in one integrated platform.

Cisco ISE can be used to provide advanced security for your deployed network. It is an authentication server that you can configure on your Cisco WLC. When a client associates to the Cisco WLC on a RADIUS NAC-enabled WLAN, the Cisco WLC forwards the request to the ISE server.

The ISE server validates the user in the database and on successful authentication, the URL and pre-AUTH ACL is sent to the client. The client then moves to the “Posture Required” state and is redirected to the URL returned by the ISE server. The NAC agent in the client triggers the posture validation process. On a successful posture validation by the ISE server, the client is moved to the RUN state.

This feature enables you to create a RADIUS NAC-enabled WLAN with open authentication and MAC filtering. If you are using local web authentication with RADIUS NAC, the Layer 3 web authentication must also be enabled. Both internal and external web authentication are supported.

The following restrictions apply:

• RADIUS NAC functionality with VLAN override is not available.

• During slow roaming, the client goes through posture validation.

• Guest tunneling mobility is supported for ISE NAC-enabled WLANs.

• The VLAN select feature is not supported.

• The NAC agent may also be available in a non-NAC-enabled WLAN.

• The workgroup bridges are not supported.

• The AP group over NAC feature is not supported over RADIUS NAC.

Note Do not swap AAA server indexes in a live network. This action might result in clients being disconnected and having to reconnect to the RADIUS server and log messages to be appended to the ISE server logs.

When clients move from one WLAN to another, the Cisco WLC retains the client’s audit session ID if it returns to the WLAN before the idle timeout occurs. As a result, when clients join back to the Cisco WLC before the idle timeout session expires, they are immediately moved to the RUN state. The clients are validated if they reassociate with the Cisco WLC after the session timeout.

Suppose you have two WLANs, where WLAN 1 is configured on a Cisco WLC (WLC1) and WLAN2 configured on another Cisco WLC (WLC2) and both are RADIUS NAC-enabled. The client first connects to WLC1 and moves to the RUN state after posture validation. Assume that the client now moved to WLC2. If the client connects back to WLC1 before the PMK expires for this client in WLC1, the posture validation is skipped for the client. The client directly moves to the RUN state bypassing posture validation as the Cisco WLC retains the old audit session ID for the client that is already known to ISE.





When deploying RADIUS NAC in your wireless network, do not configure a primary and secondary ISE server. Instead, we recommend that you configure HA between the two ISE servers. Having a primary and secondary ISE setup will require a posture validation to happen before the clients move to the RUN state. If HA is configured, the client is automatically moved to the RUN state in the fallback ISE server.

Cisco WLC software configured with RADIUS NAC does not support change of authorization (CoA) on the service port.

Load Balancing and Band Select

Note Client Load Balancing and Client Band Select is not available for the Cisco OEAP 600.

Client Load Balancing

Client load balancing that you can enable or disable.

Client Band Select

Client radio band that you can enable or disable.

Note Band Select is configurable only when the radio policy is set to All in the General Tab.

Passive Client

Passive Client Passive clients that you can enable or disable on your WLAN.

Passive clients are wireless devices such as scales and printers that are configured with a static IP address. These clients do not transmit any IP information such as IP address, subnet mask, and gateway information when they associate with an access point. As a result, when passive clients are used, the Cisco WLC will never know the IP address unless they use DHCP.

Cisco WLC currently act as a proxy for ARP requests. On receiving an ARP request, the Cisco WLC responds with an ARP response instead of passing the request directly to the client. This has two advantages:

• The upstream device that sends out the ARP request to the client cannot know where the client is located.

• Power for battery-operated devices such as mobile phones and printers is preserved because they do not need to respond to every ARP request.

Since the wireless Cisco WLC does not have any IP-related information about passive clients, it cannot respond to any ARP requests. The current behavior does not allow the transfer of ARP requests to passive clients. Any application that tries to access a passive client results in a failure.

This feature enables ARP requests and responses to be exchanged between wired and wireless clients.

This feature when enabled allows the Cisco WLC to pass ARP requests from wired to wireless clients until the desired wireless client gets to RUN state.

Note This feature is supported only on the Cisco 5500 Series Controllers.

Note Passive clients are not supported with AP groups and FlexConnect centrally switched WLANs.

This feature works on the multicast-multicast mode of multicast operation.

Voice

Media Session Snooping

Access points that you can enable or disable to detect the establishment, termination, and failure of Session Initiation Protocol (SIP) voice calls and then report them to the Cisco WLC and PI.

See the Radio Statistics page to see the VoIP statistics for your access point radios.

See the SNMP Trap Logs page to see the traps generated for failed calls.





Re-anchor Roamed Voice Clients

Reanchoring of roamed voice clients that you can enable or disable.

This feature allows the voice client to get anchored on the best suited and nearest available Cisco WLC. In the case of inter Cisco WLC roaming, it avoids the use of tunnels to carry traffic between the foreign Cisco WLC and the anchor Cisco WLC, which removes unnecessary traffic from the network.

The ongoing call during roaming is not affected and it continues without any problem. The traffic passes through proper tunnels that are established between the foreign Cisco WLC and the anchor Cisco WLC. When the call ends, disassociation occurs and the client gets reassociated to a new Cisco WLC. By default, this feature is disabled.

Note The ongoing data session may be affected due to dissociation and reassociation.

Note This feature is supported for TSPEC-based calls and non-TSPEC-SIP based calls only when admission control is enabled.

Note You can reanchor roaming of voice clients for each WLAN.

Note This feature is not recommended for use on the Cisco 792x phone.

KTS based CAC Policy

To enable or disable CAC that is based on Key Telephone System (KTS) for the WLAN.

KTS-based CAC is a protocol that is used in NEC MH240 wireless IP telephones. You can configure the Cisco WLC to support CAC on KTS-based SIP clients, to process bandwidth request message from such clients, to allocate required bandwidth on the AP radio, and to handle other messages that are part of the protocol.

When a call is initiated, the KTS-based CAC client sends a Bandwidth Request message to which the Cisco WLC responds with a Bandwidth Confirm message indicating whether the bandwidth is allocated or not. The call is allowed only if the bandwidth is available. If the client roams from one AP to another, then the client sends another Bandwidth Request message to the Cisco WLC.

Bandwidth allocation depends on the medium time calculated using the data rate from the Bandwidth Request message and the packetization interval. For KTS-based CAC clients, G.711 codec with 20 milliseconds as packetization interval is used for computing the medium time.

The Cisco WLC releases the bandwidth after it receives the bandwidth release message from the clients. When the client roams to another AP, the Cisco WLC takes care of releasing the bandwidth on the previous AP and allocates bandwidth on the new AP, in both intra Cisco WLC and inter Cisco WLC roaming scenarios. The bandwidth is released if the client is dissociated or if there is inactivity for 120 seconds. The Cisco WLC does not inform the client when the bandwidth is released for the client due to inactivity or dissociation of the client.

Limitations:

• KTS-based CAC is not supported on FlexConnect access points with the WLAN in the local switching mode.

• The Cisco WLC ignores the SSID capability check request message from the clients.

• Preferred call is not supported for KTS CAC clients.

• Reason code 17 is not supported in inter Cisco WLC roaming scenarios.

• This feature is applicable only when the QoS profile is set to Platinum for the WLAN.




Chapter 3 WLANs Tab Deleting WLANs


Deleting WLANs Click the WLANs tab. This displays the list of WLANs. Click the blue arrow adjacent the corresponding WLAN, and from the drop-down list that is displayed, choose Remove to delete the WLAN, Remote LAN, or Guest LAN. When you delete the WLAN, it will be removed from the AP group too.

Mobility AnchorsClick the WLANs tab. This displays the list of WLANs. Click the blue arrow adjacent the corresponding WLAN, and from the drop-down list that is displayed, choose Mobility Anchors to navigate to the Mobility Anchors page.

This page lists the Cisco WLCs that have already been configured as mobility anchors and shows the current state of their data and control paths. Cisco WLCs within a mobility group communicate among themselves over a well-known UDP port and exchange data traffic through an Ethernet-over-IP (EoIP) tunnel. Cisco WLCs send mpings and epings. Mpings test the mobility control packet reachability over

RADIUS Client Profiling

DHCP Profiling Check box to enable or disable DHCP profiling of all the clients that are associated with the WLAN. When you enable DHCP profiling, the Cisco WLC collects the DHCP attributes of clients for profiling.

HTTP Profiling Check box to enable or disable HTTP profiling of all the clients that are associated with the WLAN. When you enable HTTP profiling, the Cisco WLC collects the HTTP attributes of clients for profiling.

PMIP

PMIP Mobility Type

Choose the type of PMIP mobility for the WLAN.


• None—Configures the WLAN with Simple IP.

• PMIPv6—Configures the WLAN with only PMIPv6.

PMIP NAI Type Drop-down list from which you can choose the PMIP NAI Type as Hexadecimal or Decimal.

PMIP Profile Drop-down list from which you can choose a PMIP profile. You can configure the PMIP profile irrespective of the mobility type.

PMIP Realm Default realm of the PMIPv6 WLAN.

mDNS

mDNS Snooping

Check box to enable or disable mDNS snooping on the WLAN. To check if global mDNS snooping is enabled, choose CONTROLLER > mDNS > General. mDNS snooping works on guest LANs and not on remote LANs.

mDNS Profile Drop-down list from which you can choose the mDNS profile for the WLAN. Clients receive service advertisements only for the services associated with the profile.




Chapter 3 WLANs Tab Mobility Anchors

the management interface over mobility UDP port 16666 and epings test the mobility data traffic over the management interface over EoIP port 97. The Control Path field shows whether mpings have passed (up) or failed (down), and the Data Path field shows whether epings have passed (up) or failed (down). If the Data Path field shows “down,” the mobility anchor cannot be reached and is considered failed.

Mobility anchors can also be used to provide geographic load balancing, because WLANs can be used to represent a particular section of the building such as engineering, marketing, and so on.

This table describes the mobility anchor parameters.

Creating a Mobility Anchor

Step 1 Click the WLANs tab. This displays the list of WLANs.

Step 2 Click the blue arrow adjacent the corresponding WLAN, and from the drop-down list that is displayed, choose Mobility Anchors to navigate to the Mobility Anchors page.

Step 3 Choose a Cisco WLC IP address from the Switch IP Address (Anchor) drop-down list. From Release 8.0, the controller supports both IPv4 and IPv6.

Step 4 Click Mobility Anchor Create.

The selected Cisco WLC now becomes an anchor for the WLAN.

Note A Cisco 2000 Series Wireless LAN Controller cannot be designated as an anchor for a WLAN. However, a WLAN created on a Cisco 2000 Series Wireless LAN Controller can have a Cisco 4100 Series Wireless LAN Controller and Cisco 4400 Series Wireless LAN Controller as its anchor.

Table 3-16 Mobility Anchor Parameters


WLAN SSID WLAN SSID.

Switch IP Address (Anchor) IP address of the Cisco WLC that is designated as a mobility anchor.

Choose local from the drop-down list for the anchor Cisco WLC and all Cisco WLCs that are auto-anchors for this WLAN.

For foreign Cisco WLCs, select the anchor Cisco WLC from the drop-down list. Only Cisco WLCs configured as a mobility group members are available in the drop-down list.

Data Path Whether epings have passed (up) or failed (down). If the Data Path field shows down, the mobility anchor cannot be reached and is considered failed.

Control Path Whether mpings have passed (up) or failed (down).

Mobility Anchor Create Mobility anchor that you can create. The selected Cisco WLC becomes an anchor for the WLAN.

Switch IP Address (Anchor) Cisco WLC IP address from the drop-down list. You can select from either local, IPv4 address or an IPv6 address.


Chapter 3 WLANs Tab 802.11u

Removing a Mobility Anchor


Step 2 Click the blue arrow adjacent the corresponding WLAN, and from the drop-down list that is displayed, choose Mobility Anchors to navigate to the Mobility Anchors page.

Step 3 Click the blue arrow adjacent the corresponding Mobility Anchor and choose Remove.

802.11uClick the WLANs tab. This displays the list of WLANs. Click the blue arrow adjacent the corresponding WLAN, and from the drop-down list that is displayed, choose 802.11u to navigate to the 802.11u page.

This page lists the 802.11u configuration options available for the selected WLAN. You can configure a WLAN to enable interworking with external networks such as hotspots or other public Wi-Fi.

IEEE 802.11u is an extension to the IEEE 802.11 standard to improve the ability of devices to discover, authenticate, and use nearby Wi-Fi access points. IEEE 802.11u enables automatic WLAN offload for 802.1X devices at the hotspot of mobile or roaming partners.

This table describes the 801.11u parameters.

Table 3-17 801.11u General Parameters


802.11u Status 802.11u that you can enable or disable on this WLAN.

Internet Access Internet access that you can enable or disable on this WLAN.

Network Type Network type that you can set on this WLAN. The following options are available:

• Private Network

• Private Network with Guest Access

• Chargeable Public Network

• Free Public Network

• Emergency Services Only Network

• Personal Device Network

• Test or Experimental

• Wildcard

The default value is Chargeable Public Network.



This table describes the OUI parameters.

Network Auth Type Network authentication type that you can set on this WLAN for 802.11u. The following options are available:

• Not configured

• Acceptance of terms and conditions

• Online enrollment

• HTTP/HTTPS redirection

• DNS Redirection

HESSID Homogenous Extended Service Set Identifier (HESSID) that you can enter. The HESSID must be a valid MAC address that uniquely identifies the network. We recommend that the HESSID must be the actual BSSID of the first access point.

IPv4Type IPv4 type address. The following options are available:

• Unknown

• Not available

• Public address

• Port-restricted

• Single NATed private

• Double NATed private

• Port-restricted and single NATed

• Port-restricted and double NATed

IPv6Type IPv6type address. The following options are available:

• Unknown

• Not available

• Available

The default value is Unknown.

Table 3-17 801.11u General Parameters


Table 3-18 OUI List Parameters


OUI Organization Unique Identifier that you can enter. The OUI must be a hexadecimal number represented in six or ten characters. For example, AABBDF.

Is Beacon OUI beacon responses that you can enable or disable. You can have a maximum of 3 OUIs with this field enabled.

OUI Index Organization Unique Identifier index. Choose a value between 1 and 32 from the drop-down list. The default is 1.



Click Add to add the OUI details.

This table describes the domain list parameters.

Click Add to add the Domain List parameters.

This table describes the realm list parameters.

Click Add to add a realm.

This table describes the cellular network parameters.

Table 3-19 Domain List Parameters


Domain Name Domain name that is operating in the WLAN network. The domain name is case sensitive and you can use alphanumeric characters.

Domain Index Domain index of the domain name. Choose a value between 1 and 32 from the drop-down list. The default is 1.

Table 3-20 Realm List Parameters


Realm Realm name that you can assign for this WLAN.

Realm Index Realm index that you can assign to this realm name. Choose a value between 1 and 32 from the drop-down list. The default is 1.

EAP List Field that appears when you click on a realm name. It allows you to define the EAP method and EAP index for the realm.

EAP Method EAP method for the realm in the WLAN. The following options are available:

• LEAP

• PEAP

• EAP-PEAP

• EAP-TLS

• EAP-FAST

• EAP-SIM

• EAP-TTLS

• EAP-AKA

EAP Index EAP index. The range is 1 to 4.

Table 3-21 Cellular Network Information List


Country Code Mobile country code in Binary Coded Decimal (BCD) format. The country code should be 3 characters.


Chapter 3 WLANs Tab HotSpot 2.0

Click Add to add the Cellular Network Information.


HotSpot 2.0Click the WLANs tab. This displays the list of WLANs. Click the blue arrow adjacent the corresponding WLAN, and from the drop-down list that is displayed, choose Hotspot 2.0 to navigate to the HotSpot 2.0 page.

Hotspot 2.0 improves the ability of Wi-Fi devices to discover and securely connect to public Wi-Fi hotspots which enables easier roaming between public Wi-Fi networks.

You can enable or disable a hotspot by choosing the appropriate option from the HotSpot2 Enable drop-down list.

This table describes the HotSpot parameters.

This table describes the operator parameters.

Cellular Index Cellular Index. The range is from 1 to 32.

Network Code Mobile network code in BCD format. The network code can be 2 or 3 characters.

Table 3-21 Cellular Network Information List


Table 3-22 HotSpot 2.0 General Parameters


HotSpot2 HotSpot2 that you can enable or disable on this WLAN.

WAN Link Status Link status. The following options are available:

• Not configured

• Link Up

• Link Down

• Link in Test

WAN Symmetric Link Status

Downlink and uplink speed of the WAN backhaul link. The following options are available:

• Same

• Different

WAN Downlink Speed

Downlink speed of the WAN backhaul link in kbps. The maximum value is 4,294,967,295 kbps.

WAN Uplink Speed Uplink speed of the WAN backhaul link in kbps. The maximum value is 4,294,967,295 kbps.


Chapter 3 WLANs Tab HotSpot 2.0

Click Add to add the operator name.

This table describes the port config parameters.

Table 3-23 Operator Name List Parameters


Operator Name Operator name of the hotspot provider that you can enter.

Operator Index Operator index of the hotspot provider that you can assign. Choose a value between 1 and 32 from the drop-down list. The default is 1.

Language code Language code that you can enter. For example, you can enter ENG for English.

Table 3-24 Port Config List Parameters


IP Protocol Internet protocol name that you can select. This parameter provides information on the connection status of the most commonly used communication protocols and ports.


• ICMP

• FTP/SSH/TLS/PPTP VPN/VOIP

• IKEv2 (IPSec VPN/VoIP/ESP)

Port No. Port number used for the IP. The following options are available:

• ICMP/ESP (IPSec-VPN)

• FTP

• SSH

• HTTP

• TLS-VPN

• IKEv2

• PPTP-VPN

• IPSec-NAT

• VoIP

Status Status of the IP port. The following options are available:

• Closed

• Open

• Unknown

Index Port configuration index that you can configure. Choose a value between 1 and 10 from the drop-down list. The default is 1.


Chapter 3 WLANs Tab Foreign Maps

Foreign MapsClick the WLANs tab. This displays the list of WLANs.

Click the blue arrow adjacent the corresponding WLAN, and from the drop-down list that is displayed, choose Foreign Maps to navigate to the Foreign Controller Interface Mapping page.

Whenever a wireless client connects to a wireless network (WLAN), the client is placed in a VLAN that is associated with the WLAN. Release 7.0 and prior releases of the Cisco WLC software enabled you to associate one VLAN with a WLAN. Each VLAN required a single IP subnet. As a result, a WLAN required a large subnet to accommodate more clients. In a large venue such as an auditorium, a stadium, or a conference where there may be numerous wireless clients, having only a single WLAN to accommodate many clients might be a challenge.

The VLAN select feature enables you to use a single WLAN that can support multiple VLANs. Clients can get assigned to one of the configured VLANs. This feature enables you to map a WLAN to a single or multiple interfaces using interface groups. Wireless clients that associate to the WLAN get an IP address from a pool of subnets identified by the interfaces using a MAC based hashing algorithm. This feature also extends the current AP Group where AP groups can override an interface or interface group in a WLAN by an interface. This feature also provides the solution to guest anchor restrictions where a wireless guest user on a foreign location can get an IP address from multiple subnets based on their foreign locations or foreign Cisco WLCs from the same anchor Cisco WLC.

When a client roams from one Cisco WLC to another, the foreign Cisco WLC sends the VLAN information as part of the mobility announce message. Based on the VLAN information received, the anchor decides whether the tunnel should be created between the anchor Cisco WLC and the foreign Cisco WLC. If the same VLAN is available on the foreign Cisco WLC, the client context is completely deleted from the anchor and the foreign Cisco WLC becomes the new anchor Cisco WLC for the client.

As part of VLAN select feature, the mobility announce message carries an additional vendor payload that contains the list of VLAN interfaces that are mapped to a WLAN. This list helps the anchor to decide on a Local->Local type of handoff.

Note VLAN Select applies to wireless clients only.

This table describes the foreign map parameters.

Table 3-25 Foreign Map Parameters


WLAN SSID WLAN SSID.

Foreign Controller MAC Address

Foreign Cisco WLC MAC address on a WLAN.

Interface / Interface Group Name (G)

Interface/interface group name that is mapped to a foreign switch.

Add Mapping Mobility foreign map that you can add to a WLAN.

Foreign Controller MAC Address

Information about the MAC address of the foreign Cisco WLC to this interface/interface group.

Interface / Interface Group (G) Interface/interface group.


Chapter 3 WLANs Tab Service Advertisement

Creating a Foreign Cisco WLC Interface Mapping


Step 2 Click the blue arrow adjacent the corresponding WLAN, and from the drop-down list that is displayed, choose Foreign Maps to navigate to the Foreign Controller Interface Mapping page.

Step 3 From the Foreign Controller MAC Address drop-down list, choose a foreign Cisco WLC MAC address.

Step 4 From the Interface/Interface Group Name drop-down list, choose the interface/interface group name to be mapped to a foreign switch.

Step 5 Click Add Mapping.

Removing Foreign Maps


Step 2 Click the blue arrow adjacent the corresponding WLAN, and from the drop-down list that is displayed, choose Foreign Maps to navigate to the Foreign Controller Interface Mapping page.

Step 3 Click the blue arrow adjacent the corresponding Foreign Controller and choose Remove.

Service AdvertisementClick the WLANs tab. This displays the list of WLANs.

Click the blue arrow adjacent the corresponding WLAN, and from the drop-down list that is displayed, choose Service Advertisement to navigate to the Service Advertisement page.

This page allows you to configure the Mobility Service Advertisement Protocol (MSAP) parameters on a WLAN. MSAP is used primarily by mobile devices that are configured with a set of policies for establishing network services. Service advertisements use MSAP to provide services to mobile devices prior to association to a Wi-Fi access network. This information is conveyed in a service advertisement.

This table describes the MSAP parameters.

Table 3-26 MSAP Parameters


MSAP Enable Service advertisements that you can enable or disable on the WLAN.

Server Index MSAP server ID. The server index field uniquely identifies an MSAP server instance serving a venue that is reachable through the BSSID. The range is from 1 to 10.


Chapter 3 WLANs Tab Service Advertisement

Configuring Dynamic Anchoring for Clients with a Static IP AddressYou might need to configure static IP addresses for wireless clients. When these wireless clients move in a network, they try to associate with other Cisco WLCs. If the clients try to associate with a Cisco WLC that does not support the same subnet as the static IP, the clients fail to connect to the network. You can now enable dynamic tunneling of clients with static IP addresses. Using this feature, clients with static IP addresses can be associated with other Cisco WLCs where the client’s subnet is supported by tunneling the traffic to another Cisco WLC in the same mobility group. This feature enables you to configure your WLAN so that the network is serviced even though the clients use static IP addresses.

The following sequence occurs when a client with a static IP address tries to associate with a Cisco WLC:

1. When a client associates with a Cisco WLC, such as WLC-1, it performs a mobility announcement. If a Cisco WLC in the mobility group responds (such as WLC-2), the client traffic is tunneled to the Cisco WLC WLC-2. As a result, WLC 1 becomes foreign and WLC-2 becomes the anchor.

2. If none of the Cisco WLCs responds, the client is treated as a local client and authentication is performed. The IP address for the client is updated either through orphan packet handling or ARP request processing. If the client’s IP subnet is supported in the Cisco WLC (WLC-1), the client remains as a local client and traffic for this client is serviced by this Cisco WLC (WLC-1).

3. If the Cisco WLC (WLC-1) cannot service the client IP subnet, it sends a static IP client announcement. If a Cisco WLC in the mobility group responds (such as WLC2), the client is tunneled to WLC2. If there are multiple Cisco WLCs in the mobility group that respond to the static IP client announcement, the first Cisco WLC with a 50 percent or less load is selected for tunneling. If there are no Cisco WLCs with a 50 percent or less load, the Cisco WLC with the least load is selected.

4. If the maximum number of clients per WLAN is configured, the percentage load is calculated by using the following formula:

– (total clients present in that WLAN/maximum clients supported in that WLAN) x 100.

or

– (total clients present in the WLC/maximum clients supported) x 100.

5. Once the acknowledgement is received, the client traffic is tunneled between the anchor and the Cisco WLC (WLC-1).

Note If a WLAN is configured with an interface group and any of the interfaces in the interface group support the static IP client subnet, the client is assigned to that interface. This situation occurs in the local or remote (static IP anchor) Cisco WLC. For native IPv6 clients, that is clients with only IPv6 addresses, in the interface group, static IP is not supported.

Note A security level 2 authentication is performed only in the local (static IP foreign) Cisco WLC, also known as the exported foreign Cisco WLC.

Note If AAA is used for authentication, the VLAN override is ignored if static IP tunneling is required. You must configure the local Cisco WLC with the correct AAA server where this client entry is present.


Chapter 3 WLANs Tab Configuring the Maximum Number of Clients Per WLAN

The following restrictions apply when configuring static IP tunneling with other features on the same WLAN:

• Auto anchoring mobility (guest tunneling) cannot be configured for the same WLAN.

• FlexConnect local authentication cannot be configured for the same WLAN.

• The DHCP required option cannot be configured for the same WLAN.

Note Dynamic anchoring of static IP clients cannot be configured with FlexConnect local switching.

Configuring Dynamic Anchoring of Static IP Clients


Step 2 Click the ID number of the desired WLAN on which you want to enable dynamic anchoring of IP clients. The WLANs > Edit page appears.

Step 3 Choose the Advanced tab to open the WLANs > Edit (Advanced) page.

Step 4 Enable dynamic anchoring of static IP clients by selecting the Static IP Tunneling check box.


Configuring the Maximum Number of Clients Per WLANYou can set a limit to the number of clients that can connect to a WLAN. This feature is useful in scenarios where you have a limited number of clients that can connect to a Cisco WLC. For example, consider a scenario where the Cisco WLC can server up to 256 clients on a WLAN that can be shared between enterprise users (employees) and guest users. You can set a limit on the number of guest clients that can access a given WLAN. The number of clients that you can configure per WLAN depends on the platform that you are using. The range is from 1 to 200.


Step 2 Click the ID number of the WLAN for which you wish to limit the number of clients. The WLANs > Edit page appears.

Step 3 On the Advanced tab, set the Maximum Allowed Clients text box.


AP GroupsChoose WLAN > Advanced > AP Groups to navigate to the AP Groups page. This page displays a summary of the AP groups configured on your network. This page enables you to add, remove, or view details of an AP group.


Chapter 3 WLANs Tab AP Groups

After you create up to 512 WLANs on the Cisco WLC, you can selectively publish them (using access point groups) to different access points to better manage your wireless network.

After all access points have joined the Cisco WLC, you can create up to 150 access point groups and assign up to 16 WLANs to each group. Each access point advertises only the enabled WLANs that belong to its access point group. The access point does not advertise disabled WLANs in its access point group or WLANs that belong to another group.

Note The Cisco WLC creates the default-group access point group and automatically populates it with the first 16 WLANs (WLANs with IDs 1 through 16, or fewer if 16 WLANs are not configured). This default group cannot be modified (you cannot add WLANs to it and you cannot delete WLANs from it). It is dynamically updated whenever the first 16 WLANs are added or deleted. If an access point does not belong to an access point group, it is assigned to the default group and uses the WLANs in that group. If an access point joins the Cisco WLC with an undefined access point group name, the access point keeps its group name but uses the WLANs in the default-group access point group.

Note If you clear the configuration on the Cisco WLC, all of the access point groups disappear except for the default-group access point group.

Note The OEAP 600 Series access point supports a maximum of two WLANs and one remote LAN. If you have configured more than two WLANs and one remote LAN, you can assign the 600 Series access point to an AP group. The support for two WLANs and one remote LAN still applies to the AP group if the 600 Series OEAP is in the default group. The WLAN/remote LAN IDs must be less than 8.

To remove an AP group, click the blue arrow adjacent the gruop and choose Remove.

An error message appears if you try to delete an access point group that is used by at least one access point. Before you can delete an AP group, move all APs in this group to another group. The access points are not moved to the default-group access point group as in previous releases.

• To see the APs, click the AP group name, and choose the APs tab.

• To move APs, click the AP group name, choose the APs tab, check the check box to the left of the AP name, or select the AP name check box to select all APs, and click the Add APs.

Prohibit One VLAN for Local Switching by FlexConnect

Choose an interface for Prohibit Local Switching from the drop-down list in the interface list page. Click Apply to prohibit local switching of the interface by the Cisco WLC. Click New to select another VLAN for the same action.

Creating a New AP Group

Step 1 On the WLAN > AP Groups page, click Add Group to display the Add New AP Group area.

Step 2 In the AP Group Name text box, enter the name of the AP group.

Step 3 In the Description text box, enter a brief description of the AP group.

Step 4 Click Add to add the AP group.



The AP group is created.

Editing AP GroupsChoose WLAN > Advanced > AP Groups and then click an AP group name to navigate to this page.

General Tab

Note AP 3600 with the 802.11ac module advertises only the first eight WLANs on the 5-GHz radios.

This table describes the general AP parameters.

Table 3-27 General Parameters


AP Group Name AP group name.

AP Group Description AP group description.



Enable Client Traffic QinQ When enabled, double 802.1q tagging is enabled for client traffic associated to APs that are part of the WLAN and AP-Group.

QinQ Service VLAN ID must be configured for this to work.

Enable DHCPv4 QinQ When enabled, double 802.1q tagging is enabled for client DHCPv4 packets associated to APs that are part of the WLAN and AP-Group.

QinQ Service VLAN ID must be configured for this to work.



WLANs Tab

Click Add New to assign a WLAN to an access point group.


QinQ Service VLAN ID QinQ Service VLAN ID is the outer VLAN ID and the Interface mapped to WLAN in AP-Group will act as inner VLAN ID.

CAPWAP Preferred Mode Select the check box to configure the CAPWAP Preferred mode for the AP Group. You can select between an IPv4 or IPv6. By field is by default un-configured.

Note The CAPWAP Preferred Mode can either be configured Globally (Controller > General Tab > CAPWAP Preferred Mode) or on a AP Group. If you unselect the check box, global configuration will take precedence.

Note The above configuration will be displayed in the Wireless > ALL APs > General Tab > IP Config.

Note The CAPWAP Preferred Mode field does not appear under the default-group. The APs by default are part of the default-group.



Table 3-28 WLANs Tab Parameters


WLAN SSID WLAN SSID that you can select from the drop-down list.

Interface/Interface Group (G)

Interface name that you can select from the drop-down list.

SNMP NAC State SNMP NAC out-of-band support for this access point group that you can enable or disable.

Note If you enable SNMP NAC out-of-band support, be sure to choose the quarantine VLAN from the Interface Name drop-down list.

Add button/Cancel button Click Add to add this WLAN to the access point group. Click Cancel to close the Add New area without making any changes.

WLAN ID Information about the WLANs that are currently assigned to this access point group.

WLAN SSID Information about the WLAN SSID.



Click the blue arrow adjacent the corresponding WLAN and choose one of the following options:

• NAC Enable/NAC Disable—Changes the SNMP NAC state.

• Policy-Mapping—Configures the policies for the WLAN.

You can configure a maximum of 16 policies. In the AP Group > Policy Mappings page, you can configure a priority index and a policy. To define new policies, choose Security > Local Policies > New.

• Remove—Removes a WLAN from the access point group.

RF Profile Tab

This table describes the RF profile parameters.

Click Apply to apply the RF profile selected for the APs.

Note Applying an RF profile results in a reboot of all the APs associated with the AP Group.

APs Tab


Interface Name/Interface Group (G)

Interface name or interface group that you can select from the drop-down list.

SNMP NAC State SNMP NAC state that you can enable or disable.

Table 3-28 WLANs Tab Parameters

Table 3-29 RF Profile Tab Parameters


802.11a Drop-down list from which you can choose an RF profile for APs with 802.11a radios.

802.11b Drop-down list from which you can choose an RF profile for APs with 802.11b radios.

Table 3-30 APs Tab Parameters


APs currently in the Group

Access points that are currently assigned to this group.

To remove an access point, select the check box to the left of the AP name or select the AP Name check box to select all APs, and click Remove APs.

Add APs to the Group Access points that are available to be added to the group.

To add an access point, select the check box to the left of the AP Name or select the AP Name check box to select all APs, and click Add APs.



802.11u Tab

This table describes the 802.11u parameters.

Click Add New Venue to add a new venue for the AP group.

Click Apply to apply the Operating class to the AP group.

Table 3-31 802.11u Parameters


Venue Group Drop-down list from which you can choose a Hotspot group that groups similar Hotspot venues. The following options are available:

• Unspecified

• Assembly

• Business

• Educational

• Factory and Industrial

• Institutional

• Mercantile

• Residential

• Storage

• Utility and Misc

• Vehicular

• Outdoor

Venue Type Drop-down list from which you can choose the type of venue based on the Venue Group that you choose.

Venue Name Venue name that you can provide for this access point. This name is associated with the basic service set (BSS). This name is used in cases where the SSID does not provide enough information about the venue. The venue name is case sensitive and can be up to 252 alphanumeric characters.

Language Language used at the venue. You must specify the language before you specify the venue name. ISO-639 encoded string defining the language used at the venue. This string is a three-character language code. For example, you can enter ENG for English.

Operating class Select the check box to choose the 802.11u operating class. The different operating classes are 81, 83, 84, 112, 113, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127.

You can add a maximum of 10 operating classes.


C H A P T E R 4
Controller Tab
This tab on the menu bar enables you to access the Cisco WLC configuration details. Use the left navigation pane to access specific Cisco WLC parameters.

You can access the following page from the Controller tab:

• General

• Inventory

• Interfaces

• Interface Groups

• Multicast

• Network Routes

• Redundancy

• Internal DHCP Server

• Mobility Management

• Ports

• NTP

• CDP

• PMIPv6

• IPv6

• mDNS

• Advanced

• Voice Prioritization > New

GeneralChoose CONTROLLER > General to navigate to this page.


Chapter 4 Controller Tab General

Table 4-1 Controller Configuration Parameters


Name Controller name.

802.3x Flow Control Mode 802.3x flow control mode that you enable or disable when you choose the corresponding line on the drop-down list. By default, this option is disabled.

LAG Mode on next reboot Link Aggregation Group (LAG) mode that you can set as follows:

Enabled—Enables link aggregation on the Cisco WLC.

Disabled—Disables link aggregation on the Cisco WLC.

LAG is disabled by default on the Cisco 5500 Series Controllers. LAG is supported on Cisco 2500, 2504, 8500, and Flex 7500 Series Controllers.

For more information, see the Link Aggregation section.

Broadcast Forwarding Broadcast forwarding that you can enable or disable. The default is disabled.

AP Multicast Mode IPv4 Packet forwarding policy that the controller uses. Choose one of the following options from the drop-down list:

• Unicast—Enables the controller, when it receives a multicast packet, to forward the packet as a unicast packet to all associated access points.

• Multicast—Enables the controller to forward a packet as a multicast packet. Enter the IPv4 address of the multicast group in the multicast group address text box.

Note Cisco 2500 Series controllers support only multicast-multicast mode, and by default the multicast IP address is zero.

AP IPv6 Multicast Mode IPv6 Packet forwarding policy that the controller uses. Choose one of the following options from the drop-down list:

• Unicast—Enables the controller, when it receives a multicast packet, to forward the packet as a unicast packet to all associated access points.

• Multicast—Enables the controller to forward a packet as a multicast packet. Enter the IPv6 address of the multicast group in the multicast group address text box.

Note Cisco 2500 Series controllers support only multicast-multicast mode, and by default the multicast IP address is zero. You must configure the multicast address for IPv6 to function.

AP Fallback Access point fallback that you can enable or disable.

Determines whether or not an access point that lost a primary controller connection automatically returns to service when the primary controller becomes functional again.



CAPWAP Preferred Mode Select check box to configure CAPWAP Preferred Mode globally. The preferred mode can be either IPv4 or IPv6.

Fast SSID Change Fast SSID Change that you can enable or disable.

When you enable Fast SSID Change, the controller allows clients to move between SSIDs. When the client sends a new association request for a different SSID, the client entry in the controller connection table is cleared before the client is added to the new SSID.

When FastSSID Change is disabled, the controller enforces a delay before clients are allowed to move to a new SSID.

Link Local Bridging Enable to configure bridging of the link local traffic at local site.

Default Mobility Domain Name Operator-defined Mobility Group Name.

RF Group Name RF group name. The valid range for the RF group name is 8 to 19 characters.

Radio Resource Management (RRM) neighbor packets are distributed among access points within an RF group. Cisco access points only accept RRM neighbor packets sent with this RF group name. The RRM neighbor packets sent with different RF group names are dropped.

User Idle Timeout Timeout for idle clients in seconds. The factory default is 300. When the timeout expires, the client loses authentication, briefly disassociates from the access point, reassociates, and reauthenticates. The range is 90 to 100000.

ARP Timeout Timeout in seconds for the Address Resolution Protocol. By default, this is set to 300. The range is 10 to 2147483647.

Web Radius Authentication PAP, CHAP, or MD5-CHAP password authentication.

802.3 Bridging Bridging that you can enable or disable when you choose the corresponding line in the drop-down list. This option is disabled by default.

For more information, see the 802.3 Bridging topic.

Operating Environment Operating environment for the controller.

Note Not supported in Cisco Flex 7500 Series Controllers.

Internal Temp Alarm Limits Acceptable temperature range for operation of the controller. An alarm is triggered if the temperature raises or falls below the range.

Note Not supported in Cisco Flex 7500 Series Controllers.





Link AggregationLink aggregation enables you to reduce the number of IP addresses needed to configure the ports on your controller by grouping all the physical ports and creating a link aggregation group (LAG).

You should not configure the two gigabit ports of the Catalyst 3750 Integrated Wireless LAN Controller Switch because the two internal gigabit ports on the controller are always assigned to the same LAG group. Only the 24 copper and 2 SFP gigabit ports on the Catalyst 3750 switch are visible to the end user.

WebAuth Proxy Redirection Mode Mode that enables or disables the web authentication proxy redirection.

This feature enables clients that have manual web proxy enabled in the browser to facilitate authentication with the controller.

If the client’s browser is configured with manual proxy settings (on 8080 or 3128) and if the client requests any URL, the controller responds with a web page prompting the user to change the Internet settings to automatically detect the proxy settings. This is to ensure that the browser’s manual proxy settings information does not get lost.

After enabling this settings, the user can get access to the network through the web authentication policy.

This functionality is given for port 8080 and 3128 because these ports are the most commonly used ports for web proxy server.

WebAuth Proxy Redirection Port Port numbers on which the controller listens to web authentication proxy redirection. The default ports are 80, 8080, and 3128. If you configured the web authentication redirection port to any port other than these values, you must specify that value.

Maximum Allowed APs The maximum number of APs that can join a controller. Zero implies there is no restriction on maximum allowed APs.

Global IPv6 Config Drop-down list from which you can enable or disable the global IPv6 configuration.

Web Color Theme Drop-down list from which you can select red color as the UI default color.

HA SKU Secondary Unit Enable or disable the high availability SKU secondary unit.







Note You cannot create more than one LAG on a controller.

Some of the advantages of creating a LAG are as follows:

• If one of the links goes down, the traffic is moved to the other links in the LAG. As long as one of the physical ports is working, the system remains functional.

• It eliminates the need to configure separate backup ports for each interface.

• Multiple AP-manager interfaces are not required because only one logical port is visible to the application.

Note When you make changes to the LAG configuration, you must reboot the controller for the changes to take effect.

When LAG is enabled on the controller, the following configuration changes occur:

• Any dynamic interfaces that you have created are deleted to prevent configuration inconsistencies in the interface database.

• Interfaces cannot be created with the Dynamic AP Manager flag set.

802.3 BridgingThe controller supports 802.3 frames and the applications that use them, such as those typically used for cash registers and cash register servers. However, to make these applications work with the controller, the 802.3 frames must be bridged on the controller.

Support for raw 802.3 frames allows the controller to bridge non-IP frames for applications not running over IP. Only this raw 802.3 frame format is currently supported:

+-------------+-------------+--------------+------------------------| Destination | Source | Total packet | Payload . . . | MAC address | MAC address | length |+-------------+-------------+--------------+------------------------

Note The Cisco Wireless LAN Controller Network Module for Cisco Integrated Services Routers (as well as Cisco 5500 Series Controllers) bridge 802.3 packets by default. Therefore, 802.3 bridging can now be disabled only on the Cisco WiSM and the Catalyst 3750G Wireless LAN Controller Switch.

Note By default, Cisco 5500 Series Controllers bridge all non-IPv4 packets (such as AppleTalk, IPv6, and so on).

Buttons

• Apply: Sends data to the Cisco WLC, but the data is not preserved across a power cycle; these parameters are stored temporarily in volatile RAM.


Chapter 4 Controller Tab Inventory

InventoryChoose CONTROLLER > Inventory to navigate to this page.

This page identifies Cisco WLAN Solution product information assigned by the manufacturer.

InterfacesChoose CONTROLLER > Interfaces to navigate to this page.

• To edit the parameters for an interface, click the interface name (Interfaces > Edit).

• To remove an interface, hover your cursor over the blue drop-down arrow for the interface and choose Remove. You are prompted for confirmation of the interface removal.

Table 4-2 Inventory Parameters


Model No. Model number as defined by the factory.

Burned-in MAC Address Burned-in Ethernet MAC address for this Cisco WLC management interface.

Maximum number of APs supported

Maximum number of access points supported by the Cisco WLC.

FIPS Prerequisite Mode Federal Information Processing Standards–US Government requirement for cryptographic modules.

WLANCC Prerequisite Mode If the shared secret for IPSec is not configured, the default radius shared secret is used. If the authentication method is PSK, WLANCC should be enabled to use the IPSec shared secret.By default, WLANCC is disabled.

UCAPL Prerequisite Mode If the shared secret for IPSec is not configured, the default radius shared secret is used. If the authentication method is PSK, UCAPL should be enabled to use the IPSec shared secret. By default, UCAPL is disabled.

UDI

Product Identifier Description Vendor-specific model name.

Version Identifier Description Vendor-specific hardware revision.

Serial Number Unique serial number for this Cisco WLC.

Entity Name Textual name of the physical entity.

Entity Description Textual description of the physical entity.


Chapter 4 Controller Tab Interfaces

Buttons

• New: Adds a new interface.

Interfaces > NewChoose CONTROLLER > Interfaces and then New to navigate to this page.

Add a new Cisco WLC operator-defined interface by entering the following parameters:

• Interface Name—Enter the name of the new operator-defined interface without any spaces. The interface name can be up to 32 characters and can include special characters.

• VLAN Id—Enter the VLAN identifier for this new interface, or enter 0 for an untagged VLAN.

Note IPv6 is not supported on Dynamic Interface.

Table 4-3 Controller Interface Parameters


Interface Name Name of the interface:

• Management—802.11 Distribution System wired network.

• Redundancy-management—Interface used for peer to peer communication using a gateway. This interface appears irrespective of the state of redundancy.

• Redundancy-port—Interface used for peer to peer communication. Role negotiation, config sync are done using this port. This interface appears irrespective of the state of redundancy.

• Service-port—System Service interface.

• Virtual—Unused IP address used as the virtual gateway address.

• AP-manager—Can be on the same subnet as the management IP address, but must have a different IP address than the management interface.

• <name>—Operator-Defined Interface assignment, without any spaces.

VLAN Identifier Virtual LAN assignment of the interface.

IP Address IPv4 address of the Cisco WLC and its distribution port.

Interface Type Static—Management, AP-Manager, Service-Port, and Virtual interfaces.

Dynamic—Operator-defined interfaces.

Dynamic AP Management Dynamic access point management status. The status could be Enabled, Disabled, or Not Supported. This option is disabled by default when LAG is enabled, and any other user-defined dynamic interface is deleted.

IPv6 Address IPv6 address of the Cisco WLCs management and service port.



Buttons

• Back: Returns to the previous page.

• Apply: Displays the Interfaces > Edit page and continues configuring the new operator-defined interface.

Interfaces > EditChoose CONTROLLER > Interfaces and then click on an interface name to navigate to this page.

The top of this page displays the operator-defined Interface Name, and may include the interface MAC address.

Edit Management, VLAN, Operator-Defined, Service Port, Virtual, and AP-Manager interfaces as described in the following tables.

Management Interface Parameters

Note If you made any changes to the management interface, reboot the controller so that your changes take effect.

Note The IPv4 and IPv6 configurations cannot be changed in redundancy mode.

Table 4-4 Management Interface Parameters


General Information

Interface Name Name of the interface.

MAC Address MAC address of the interface.

Configuration

Guest LAN Select the checkbox to enable the Guest LAN interface that is used as Ingress interface for Wired Guest LANs.

QuarantineIn Quarantine status. Check to indicate that this VLAN is a quarantine VLAN.

When a client is assigned to a quarantine VLAN, its data switching is always central.

This field does not appear when you select the Guest LAN check box.



Quarantine VLAN ID

Quarantine VLAN ID. Enter a nonzero value for the quarantine VLAN ID.

Note We recommend that you configure unique quarantine VLANs throughout your network. If multiple controllers are configured in the same mobility group and access interfaces on all controllers are in the same subnet, you must have the same quarantine VLAN if there is only one NAC appliance in the network. If multiple controllers are configured in the same mobility group and access interfaces on all controllers are in different subnets, you must have different quarantine VLANs if there is only one NAC appliance in the network.

This field does not appear when you select the Guest LAN check box.

NAS-ID ID that is sent to the RADIUS server by the controller through an authentication request to classify users to different groups so that the RADIUS server can send a customized authentication response.

NAT Address

Note This option is available only for Cisco 5500 Series Controllers that are configured for dynamic AP management.

Enable NAT Address

NAT addresses that you can enable. Select the check box to deploy the Cisco 5500 Series Controller behind a router or other gateway device that is using a one-to-one mapping network address translation (NAT).

NAT allows a device, such as a router, to act as an agent between the Internet (public) and a local network (private). In this case, it maps the controller’s Intranet IP addresses to a corresponding external address. The controller’s dynamic AP-manager interface must be configured with the external NAT IP address so that the controller can send the correct IP address in the Discovery Response.

NAT IP Address External NAT IP address.

Interface Address

VLAN Identifier Virtual LAN assigned to the interface.

Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using tagged VLANs for the management interface.

Note For Cisco 5500 Series Controllers in a nonlink-aggregation (non-LAG) configuration, the management interface must be on a different VLAN than any dynamic AP-manager interface. Otherwise, the management interface cannot fail over to the port that the AP-manager is on.

IP Address IPv4 address of the interface.

Netmask Interface subnet mask (IPv4).

Gateway Interface gateway router IP address.

IPv6 Address IPv6 address of the interface.

Prefix Length Interface subnet mask (IPv6).





IPv6 Gateway Link local address of the interface gateway router.

Note An error is thrown when the IPv6 gateway is not a link local IPv6 address.

Link Local IPv6 Address

IPv6 unicast address that is configured on the interface. Link local IPv6 address is used for addressing a single link for automatic address configuration or neighbor discovery protocol.

Physical Information

Port Number Primary port for the interface.

Backup Port Backup port. If the primary port for an interface fails, the interface moves to the backup port.

Active Port Active port for the interface.

Enable Dynamic AP Management (applicable only to Cisco 5500 Series and Cisco Flex 7500 Controllers)

AP-manager interface.

Note Only one AP-manager interface is allowed per physical port. A dynamic interface that is marked as an AP-manager interface cannot be used as a WLAN interface.

Caution Do not define a backup port for an AP-manager interface. Port redundancy is not supported for AP-manager interfaces. If the AP-manager interface fails, all of the access points connected to the controller through that interface are evenly distributed among the other configured AP-manager interfaces.

DHCP Information

Primary DHCP Server

Interface that uses this DHCP server first to obtain an IPv4 address.

Note IPv6 is not supported for DHCP.

Secondary DHCP Server

Interface that uses this DHCP server as a backup to obtain an IP address.






DHCP Proxy Mode Drop-down list from which you can choose the DHCP Proxy Mode that can be one of the following:

• Global—Uses the global DHCP proxy mode on the controller.

• Enabled—Enables the DHCP proxy mode on the interface. When you enable DHCP proxy on the controller, the controller unicasts the DHCP requests from the client to the configured servers. You must configure at least one DHCP server on either the interface associated with the WLAN or on the WLAN.

• Disabled—Disables the DHCP proxy mode on the interface. When you disable the DHCP proxy on the controller, the DHCP packets transmitted to and from the clients are bridged by the controller without any modification to the IP portion of the packet. Packets received from the client are removed from the CAPWAP tunnel and transmitted on the upstream VLAN. DHCP packets directed to the client are received on the upstream VLAN, converted to 802.11, and transmitted through a CAPWAP tunnel toward the client. As a result, the internal DHCP server cannot be used when DHCP proxy is disabled.

Note The DHCP Proxy mode is disabled by default when the interface uses IPv6 address. DHCP does not support IPv6.

Enable DHCP Option 82

Check box that allows you to enable the DHCP Option 82 on the dynamic interface. DHCP option 82 provides additional security when DHCP is used to allocate network addresses.

Enable DHCP Option 82-Link Select

Option 82-Link Select pads the extra information to get the IP address in the required subnet.

Link Select relay source

Allows to specify the required interface/subnet on which the DHCP client require an IP address.

Enable DHCP Option 82 - VPN Select

Enables the VPN select. This is used in conjunction with the link select relay source.

VPN select - VRF Name

VPN Select-VRF Name is a string that is used to select a DHCP pool based on the VRF name.

VPN select - VPN ID

VPN Select-VPN ID is an ASCII value that is used to select a DHCP pool based on the identifier.

Access Control List

ACL Name Drop-down list from which you can choose an IPv4 ACL.

Note Applying an ACL to the management interface does not affect wired devices. To block access to wired devices, you must configure an ACL on the upstream device port.

IPv6 ACL Name Drop-down list from which you can choose an IPv6 ACL.

Note Guest LAN does not support IPv6 ACL.





Redundancy-Management Interface Parameters

Operator-Defined Interface Parameters

mDNS

mDNS Profile Drop-down list from which you can choose the mDNS profile for the interface. Interface mDNS profiles have higher priority than WLAN mDNS profiles. Clients receive service advertisements only for the services associated with the profile.

Table 4-5 Redundancy-Management Interface Parameters


General Information


Interface Address

IP Address1 IP address of the interface.

Table 4-6 Operator-Defined Interface Parameters


General Information



Configuration

Guest LAN Guest LAN. Select the check box to indicate that this is a guest LAN.

Quarantine1 Quarantine LAN. Select the check box to indicate that this VLAN is a quarantine VLAN.

When a client is assigned to a quarantine VLAN, its data switching is always central.





Quarantine VLAN Id1 Quarantine VLAN ID. Enter a nonzero value for the quarantine VLAN ID.

Note We recommend that you configure unique quarantine VLANs throughout your network. If multiple controllers are configured in the same mobility group and access interfaces on all controllers are in the same subnet, you must have the same quarantine VLAN if there is only one NAC appliance in the network. If multiple controllers are configured in the same mobility group and access interfaces on all controllers are in different subnets, you must have different quarantine VLANs if there is only one NAC appliance in the network.

NAS-ID Network Access Server Identifier (NAS-ID) for a VLAN interface. The NAS-ID is sent to the RADIUS server by the controller through an authentication request to classify users to different groups so that the RADIUS server can send a customized authentication response.





Enable Dynamic AP Management1

AP-manager interface.

Note Only one AP-manager interface is allowed per physical port. A dynamic interface that is marked as an AP-manager interface cannot be used as a WLAN interface.

Caution Do not define a backup port for an AP-manager interface. Port redundancy is not supported for AP-manager interfaces. If the AP-manager interface fails, all of the access points connected to the controller through that interface are evenly distributed among the other configured AP-manager interfaces.

Interface Address


IP Address1 IPv4 address of the interface.

Note IPv6 is not supported on Dynamic Interface.

Netmask1 Interface subnet mask.

Gateway1 Interface gateway router IP address.

DHCP Information





Primary DHCP Server1 Interface that uses this DHCP server first to obtain an IP address.


Secondary DHCP Server1 Interface that uses this DHCP server as a backup to obtain an IP address.


DHCP Proxy Mode Drop-down list from which you can choose the DHCP Proxy Mode that can be one of the following:

• Global—Uses the global DHCP proxy mode on the controller.

• Enabled—Enables the DHCP proxy mode on the interface. When you enable DHCP proxy on the controller, the controller unicasts the DHCP requests from the client to the configured servers. You must configure at least one DHCP server on either the interface associated with the WLAN or on the WLAN.

• Disabled—Disables the DHCP proxy mode on the interface. When you disable the DHCP proxy on the controller, the DHCP packets transmitted to and from the clients are bridged by the controller without any modification to the IP portion of the packet. Packets received from the client are removed from the CAPWAP tunnel and transmitted on the upstream VLAN. DHCP packets directed to the client are received on the upstream VLAN, converted to 802.11, and transmitted through a CAPWAP tunnel toward the client. As a result, the internal DHCP server cannot be used when DHCP proxy is disabled.

Note Disabled: The DHCP Proxy mode is disabled by default when the interface uses IPv6 address. DHCP does not support IPv6.

Enable DHCP Option 82 Check box that allows you to enable the DHCP Option 82 on the dynamic interface. DHCP option 82 provides additional security when DHCP is used to allocate network addresses.

Enable DHCP Option 82-Link Select

Option 82-Link Select pads the extra information to get the IP address in the required subnet.

Link Select relay source Allows to specify the required interface/subnet on which the DHCP client require an IP address.

Enable DHCP Option 82 - VPN Select

Enables the VPN select. This is used in conjunction with the link select relay source.

VPN select - VRF Name VPN Select-VRF Name is a string that is used to select a DHCP pool based on the VRF name.

VPN select - VPN ID VPN Select-VPN ID is an ASCII value that is used to select a DHCP pool based on the identifier.

Access Control List





Service Port Interface Parameters

ACL Name Any of the access control lists currently displayed on the Access Control Lists page.

Note Applying an ACL to the management interface does not affect wired devices. To block access to wired devices, configure an ACL on the upstream device port.

mDNS

mDNS Profile Drop-down list from which you can choose the mDNS profile for the interface. Interface mDNS profiles have higher priority than WLAN mDNS profiles. Clients receive service advertisements only for the services associated with the profile.

1. Not available on guest LAN.

Table 4-7 Service Port Interface Parameters


General Information



Interface Address

IPv4

DHCP Protocol Check box that you check to have the Service Port interface use a DHCP server to obtain its IP address.

IP Address IP address of the Service Port interface.

Netmask Interface subnet mask.

Note The service port cannot be configured with the same IP address or on the same subnet as the network distribution system.

IPv6

SLACC Enable SLACC to auto-configure the IPv6 address.

You can configure a static IPv6 address by disabling the check box.

Primary Address This field is enabled for static IPv6 configuration. Enter the IPv6 address.

For SLACC, the service port generates the IPv6 address provided a valid prefix length is used.

Prefix Length Enter IPv6 prefix length of the management interface. The valid prefix length is between 1-127.

Link Local Address The link-local IPv6 address.





Virtual Interface Parameters

Note If you made any changes to the virtual interface, reboot the controller so that your changes take effect.

AP-Manager Interface Parameter

Note For Cisco 5500 Series Controllers, you do not have to configure an AP-manager interface because the management interface acts like an AP-manager interface by default.

Table 4-8 Virtual Interface Parameters


General Information



Interface Address

IP Address Gateway IP address. Any fictitious, unassigned IP address (such as 10.1.10.1) to be used by Layer 3 Security and Mobility managers. Reboot the Cisco WLC to have this change take effect.

DNS Host Name Gateway hostname. Used by Layer 3 Security and Mobility managers to verify the source of certificates when Web Auth is enabled. Reboot the Cisco WLC to have this change take effect.

Note You must configure the virtual gateway address to enable Layer 3 Web Auth, configured on the Editing WLANs page.

Table 4-9 AP Manager Interface Parameters


General Information



Interface Address


IP Address IP address of the Cisco WLC Layer 3 CAPWAP protocol manager. This IP address cannot be the same IP address used by the management interface.

Netmask Interface subnet mask.

Gateway Interface gateway router IP address.




Chapter 4 Controller Tab Interface Groups

Buttons


• Apply: Sends data to the Cisco WLC, but the data is not preserved across a power cycle; these parameters are stored temporarily in volatile RAM.

Note Applying interface changes may cause WLANs to temporarily drop client connections. You are prompted to confirm the changes if this is the case.

Interface GroupsInterface groups are logical groups of interfaces. Interface groups facilitate user configuration where an interface group can be reused either while configuring multiple WLANs or while overriding a WLAN interface per AP group. An interface group can contain either quarantine or nonquarantine interfaces.

A WLAN can be mapped to a single interface or multiple interfaces using an interface group. Wireless clients that are associated to this WLAN get their IP addresses from a pool of subnets that are identified by the interfaces using a MAC based hashing algorithm.

VLAN select feature also enables you to associate a client to different subnets based on the foreign controller that they are connected to. The anchor controller maintains a mapping between the foreign MAC and the interface group.

Choose CONTROLLER > Interface Groups to navigate to this page.

• To edit the parameters for an interface, click the interface name (Interfaces > Edit).

• To remove an interface group, hover your cursor over the blue drop-down arrow for the interface group and choose Remove. You are prompted for confirmation of the interface group removal.

Note A WLAN can be mapped to a single interface or multiple interfaces. A maximum of 20 interfaces can be added to an interface group.



Enable Dynamic AP Management

AP-Manager interface. Select the check box to indicate that the interface is an AP-manager interface.

Note This enables only IPv4 based AP manager for dynamic interface.

DHCP Information

Primary DHCP Server DHCP server that the interface uses first to obtain an IP address.

Secondary DHCP Server DHCP server that the interface uses as a backup to obtain an IP address.

Access Control List

ACL Name Access control list names currently available on the Access Control Lists page.

Table 4-9 AP Manager Interface Parameters



Chapter 4 Controller Tab Interface Groups

Buttons

Add Group: Adds a new interface group.

Interface Groups > Add GroupChoose CONTROLLER > Interface Groups and then click Add Group to navigate to this page.

Add a new Cisco WLC operator-defined interface group by entering the following parameters:

• Interface Group Name—Enter the name of the new operator-defined interface group. The interface group name can be up to 32 characters and can include special characters.

• Description—Enter the description for this new interface group.

Buttons

• Add: Adds a new interface group.

• Cancel: Disregards any settings or changes.

Interface Groups > EditChoose CONTROLLER > Interface Groups and then click on an interface group name to navigate to this page.

Buttons


Table 4-10 Controller Interface Groups Parameters


Interface Group Name Name of the interface group.

Description Description for the interface group.

mDNS Profile Drop-down list from which you can choose the mDNS profile for the interface group. Clients receive service advertisements only for the services associated with the profile. Interface group mDNS profiles have higher priority than WLAN mDNS profiles.



Interface Group Name Name of the interface group.

Property Quarantine status of the VLAN.


Add Interface Add Interface button that allows you to add an interface to the interface group. You can choose the interface to add from the Interface Name drop-down list.


Chapter 4 Controller Tab Multicast

• Apply: Sends data to the controller, but the data is not preserved across a power cycle; these parameters are stored temporarily in volatile RAM.

MulticastChoose CONTROLLER > Multicast to navigate to this page.

This page enables you to configure Internet Group Management Protocol (IGMP) snooping and to set the IGMP timeout.

When you enable IGMP snooping, the controller gathers IGMP reports from the clients and then sends each access point a list of the clients that are listening to any multicast group. The access points then forward multicast packets only to those clients.

Table 4-12 Multicast


Enable Global Multicast Mode

Multicast mode that you can enable or disable.

Disabled—Disables multicast support on the Cisco WLC (default).

Unicast—Enables the controller when it receives a multicast packet to forward the packet as a unicast packet to all the associated access points. FlexConnect supports only Unicast Mode.

Multicast—Enables multicast support on the Cisco WLC. Enter the IP address of the multicast group in the Multicast Group Address text box.

Enable IGMP Snooping IGMP snooping that you can enable or disable. The default is enable.

IGMP Timeout (seconds) IGMP timeout, in seconds. Valid values are from 30 and 7200.

When the timeout expires, the controller sends a query on all WLANs, causing all clients that are listening to a multicast group to send a packet back to the controller.

IGMP Query Interval (seconds)

IGMP query interval, in seconds that you can set. The query interval value is the frequency at which the controller sends the IGMP queries. Valid range is from 15 and 2400 seconds.

Enable MLD Snooping Multicast Listener Discovery (MLD) that you can enable for efficient distribution of IPv6 multicast data to clients and routers in a switched network. By default it is enabled. To enable IPv6 multicast, both Global Multicast Mode and MLD snooping must be enabled.

MLD Timeout (seconds) MLD timeout, in seconds. Valid values are from 30 and 7200.

When the timeout expires, the controller sends a query on all WLANs, causing all clients that are listening to a multicast group to send a packet back to the controller.

MLD Query Interval (seconds)

MLD query interval, in seconds that you can set. The query interval value is the frequency at which the controller sends the MLD queries. Valid range is from 15 and 2400 seconds.


Chapter 4 Controller Tab Network Routes

Buttons

• Apply: Sends data to the Cisco WLC but the data is not preserved across a power cycle; these parameters are stored temporarily in volatile RAM.

Network RoutesThis page provides a summary of existing IPv4 and IPv6 based service port network routes to network or element management systems on a different subnet. You can choose IP Address, IP Netmask, or Gateway IP Address.

Network Routes > IPv4 RoutesThis page provides a summary of existing IPv4 based service port network routes to network or element management systems on a different subnet. You can choose IP Address, IP Netmask, or Gateway IP Address.

• To remove a network route, hover your cursor over the blue drop-down arrow for the route and choose Remove. You are prompted to confirm the Network Route removal.

Buttons

New: Adds a new IPv4 based network route.

IPv4 Routes > NewChoose CONTROLLER > Network Routes > IPv4 Routes and then click New to navigate to this page.

To add a new network route for the service port.

• Route Type—Select IPv4 as the route type.

Enter the following information in the text boxes:

• IP Address—Destination network IP address range

• IP Netmask—Destination subnet mask

• Gateway IP Address—IP address of the service port gateway router

Buttons


Apply: Sends data to the Cisco WLC but the data is not preserved across a power cycle; these parameters are stored temporarily in volatile RAM.

Network Routes > IPv6 RoutesChoose CONTROLLER > Network Routes > IPv6 Routes to navigate to this page.


Chapter 4 Controller Tab Redundancy

This page provides a summary of existing IPv6 based service port network routes to network or element management systems on a different subnet. You can choose IP Address, IP Netmask, or Gateway IP Address.

• To remove a network route, hover your cursor over the blue drop-down arrow for the route and choose Remove. You are prompted to confirm the Network Route removal.

Buttons

New: Adds a new IPv6 based network route.

IPv6 Routes > NewChoose CONTROLLER > Network Routes > IPv6 Routes and then click New to navigate to this page.

To add a new network route for the service port.

Route Type—Select IPv6 as the route type.

Enter the following information in the text boxes:

• IP Address—Destination network IP address range

• IP Netmask/Prefix Length—The prefix length assigned to the destination IPv6 address.

• Gateway IP Address—IP address of the service port gateway router

Buttons


Apply: Sends data to the Cisco WLC but the data is not preserved across a power cycle; these parameters are stored temporarily in volatile RAM.

RedundancyIn a high availability (HA) architecture, one controller is in the Active state and a second controller is in the Standby state, which continuously monitors the health of the Active controller through a direct wired connection over a dedicated HA port. Both controllers share the same configurations including the IP address of the management interface.

Choose CONTROLLER > Redundancy to configure the redundancy parameters and peer network routes:

• To enable redundancy and configure redundancy parameters on the primary and secondary controllers, choose CONTROLLER > Redundancy > Global Configuration.

• To configure service port network routes for the peer controller, choose CONTROLLER > Redundancy > Peer Network Route.

Redundancy > Global ConfigurationChoose CONTROLLER > Redundancy > Global Configuration to navigate to this page.

You can enable redundancy and configure redundancy parameters on the primary and secondary controllers.



The controllers reboot to negotiate the HA role based on the configuration. The standby controller downloads the configuration from the active controller and reboots. In the next bootup process, after the role of the controller is determined, the standby controller tries to validate the configuration again to establish itself as the controller in the Standby state.

After the controllers are rebooted and the XML configuration is synchronized, the active controller transitions to the Active state, and the standby controller transitions to the Standby HOT state. From this point, GUI, Telnet, and SSH for the standby controller on the management interface do not work because all the configurations and management have to be done through the active controller. The standby controller can only be managed through the console or the service port. Also, when a controller transitions to the Standby HOT state, the Standby keyword is automatically appended to the prompt of the controller.

To see the redundancy status of the active controller, choose Monitor > Redundancy > Summary to navigate the Redundancy Summary page.

Table 4-13 Global Configuration Parameters


Redundancy Mgmt IP Redundancy Management IP address of the controller. Ensure that the Redundant Management IP address for both controllers is the same.

Peer Redundancy Mgmt IP Redundancy Management IP address of the peer controller. Ensure that the Peer Redundant Management IP address for both the controllers is the same.

Redundancy port IP IP address of the redundancy port of the controller.

Controllers in a HA environment use the redundancy port to do HA role negotiation. The redundancy port is responsible for configuration and operational data synchronization between active and standby controllers.

Peer Redundancy port IP IP address of the redundancy port of the peer controller.

The redundancy port in standalone controllers and the redundancy VLAN in Cisco WiSM2 are assigned an automatically generated IP address where the last two octets are picked from the last two octets of the Redundancy Management Interface. The first two octets are always 169.254.

For example, if the IP address of the Redundancy Management Interface is 209.165.200.225, the IP address of the redundancy port is 169.254.200.225.

Redundant Unit Controller that can be primary or secondary.

Mobility MAC Address MAC address that is an identifier for the active and standby controller pair.

If an HA pair is to be added as a mobility member for a mobility group, the mobility MAC address (instead of the system MAC address of the active or standby controller) should be used. Normally, the mobility MAC address is chosen as the MAC address of the active controller and you do not have to manually configure this.



Buttons

• Apply: Commits your changes.

• Save Configuration: Saves the changes

Redundancy > Peer Network RouteChoose CONTROLLER > Redundancy > Peer Network Route to navigate to this page.

Keep Alive Timer Timer that controls how often the primary controller sends a heartbeat keepalive signal to the standby controller.

The range is from 100 to 1000 milliseconds, in multiples of 50.

Keep Alive Retries The number of times keep alive packets are send between the HA peers. The valid range is between 100 to 1000 milliseconds.

Peer Search Timer Timer that controls how often the primary controller sends a peer search signal to the standby controller.

The range is from 60 to 300 seconds.

Management Gateway Failure If the Management interface gateway is unreachable, then the HA tigger can be enabled /disabled.

SSO Drop-down list from which you can choose Enable to enable AP and client SSO.

After you enable an SSO, the service port peer IP address and the service port netmask appear on the configuration page. Note that the service port peer IP address and the netmask can be pushed to the peer only if the HA peer is available and operational. When you enable high availability, you do not have to configure the service port peer IP address and the service port netmask parameters. You must configure the parameters only when the HA peer is available and operational.

After you enable SSO, both the controllers are rebooted. During the reboot process, the controllers negotiate the HA role through the redundant port based on the configuration. If the controllers cannot reach each other through the redundant port or through the Redundant Management Interface, the standby controller goes into the maintenance mode.

Service Port Peer IP IP address of the service port of the peer controller.

When the HA pair becomes available and operational, you can configure the peer service port IP address and netmask when service port is configured as static. If you enable DHCP on the service port, you do not have to configure these parameters on the Global Configuration page.

Service Port Peer Netmask Netmask of the service port of the peer controller.

Table 4-13 Global Configuration Parameters



Chapter 4 Controller Tab Internal DHCP Server

This page provides a summary of existing service port network routes of the peer controller to network or element management systems on a different subnet. You can view the IP address, IP netmask, and gateway IP address. To remove a peer network route, hover your cursor over the blue drop-down arrow for the route and choose Remove. You are prompted to confirm the Network Route removal.

Buttons

• New: Adds a new peer network route.

Internal DHCP ServerChoose CONTROLLER > Internal DHCP Server to navigate to this page. From here you can choose the following:

• CONTROLLER > Internal DHCP Server > DHCP Scope to view the existing DHCP server scopes.

See Internal DHCP Server > DHCP Scope for more information.

• CONTROLLER > Internal DHCP Server > DHCP Allocated Lease to view the MAC address, the IP address, and the remaining lease time for wireless clients.

See Internal DHCP Server > DHCP Allocated Lease for more information.

Note This feature is not supported in Cisco Flex 7500 and 8500 Series controllers.

Internal DHCP Server > DHCP ScopeChoose CONTROLLER > Internal DHCP Server > DHCP Scope to navigate to this page.

The controllers have built-in DHCP relay agents. However, when you want network segments that do not have a separate DHCP server, the controllers can have built-in DHCP scopes (Dynamic Host Configuration Protocol servers) that assign IP addresses and subnet masks to wireless clients, direct-connect access points, appliance-mode access points on the management interface, and DHCP requests that are relayed from access points. (Only lightweight access points are supported.)

Typically, one Cisco WLC can have one or more DHCP scopes that each provide a range of IP addresses. This page shows the existing DHCP server scope names.

Each DHCP Scope displays the following entries, which are a subset of those set on the DHCP Scope > Edit page:

• Scope Name

• Address Pool—IP address range. This pool must be unique for each DHCP scope and must not include the static IP addresses of routers and other servers

• Lease Time—Number of seconds that an IP address is granted to a client or access point

• Status—Scope is Enabled or Disabled

Click the scope name to go to the DHCP Scope > Edit page to change the DHCP scope settings.

Remove a DHCP Scope by hovering your cursor over the blue drop-down arrow and choosing Remove. You are prompted to confirm the DHCP Scope removal.



Buttons

• New: Creates a new DHCP Scope.

DHCP Scope > NewChoose CONTROLLER > Internal DHCP Server > DHCP Scope and then click New to navigate to this page.

The controllers have built-in DHCP relay agents. However, if you want network segments that do not have a separate DHCP server, the controllers also have built-in DHCP scopes (servers) that assign IP addresses and subnet masks to wireless clients, direct-connect access points, appliance-mode access points on the management interface, and DHCP requests that are relayed from access points. (Only lightweight access points are supported.)

Typically, one Cisco WLC can have one or more DHCP scopes that each provide a range of IP addresses. This page enables you to add a DHCP server scope name.

Add a new DHCP scope by entering the DHCP scope name and then clicking Apply. The Cisco WLAN Solution saves the DHCP scope name and returns you to the Internal DHCP Server > DHCP Scope page. On the Internal DHCP Server > DHCP Scope page, click the scope name to set the DHCP scope parameters on the DHCP Scope > Edit page.

Buttons



DHCP Scope > EditChoose CONTROLLER > Internal DHCP Server > DHCP Scope and then click the scope name to navigate to this page.

The controllers have built-in DHCP relay agents. However, when you want network segments that do not have a separate DHCP server, the controllers also have built-in DHCP scopes (servers) that assign IP addresses and subnet masks to wireless clients, direct-connect access points, appliance-mode access points on the management interface, and DHCP requests that are relayed from access points. (Only lightweight access points are supported.)

Typically, one Cisco WLC can have one or more DHCP scopes that each provide a range of IP addresses. This page enables you to edit a DHCP server scope.

This page shows the name of the DHCP Scope you are editing.



Buttons



Internal DHCP Server > DHCP Allocated LeaseChoose CONTROLLER > Internal DHCP Server > DHCP Allocated Leases to navigate to this page.

This page displays the MAC address, the IP address, and the remaining lease time for wireless clients.

Table 4-14 DHCP Scope Parameters


Pool Start Address Starting IP address in the range assigned to clients and access points. This pool must be unique for each DHCP scope. The pool must not include the static IP addresses of routers and other servers.

Pool End Address Ending IP address in the range assigned to clients and access points. This pool must be unique for each DHCP scope. The pool must not include the static IP addresses of routers and other servers.

Network Network served by this DHCP scope. This IP address is used by the management interface with the netmask applied, listed on the Interfaces page.

Netmask Subnet mask assigned to all clients and access points.

Lease Time How many seconds an IP address is granted to a client or access point, from 120 to 8640000.

DNS Domain Name Optional DNS (Domain Name System) domain name of this DHCP scope for use with one or more DNS servers.

DNS Servers IP address of the optional DNS servers. Each DNS server must be able to update a client DNS entry to match the IP address assigned by this DHCP scope.

NetBIOS Name Servers IP address of the optional Microsoft NetBIOS (Network Basic Input Output System) name servers, such as a WINS (Windows Internet Naming Service) server.

Status Setting that enables you to configure the DHCP scope. The values can be Enable or Disable.


Chapter 4 Controller Tab Mobility Management

Mobility ManagementChoose CONTROLLER > Mobility Management to navigate to this page. From here you can choose the following:

• CONTROLLER > Mobility Management > Mobility Configuration to configure hierarchical mobility on the controller.

See Mobility Management > Mobility Configuration for more information.

• CONTROLLER > Mobility Management > Mobility Groups to view existing mobility group members.

See Mobility Management > Mobility Groups for more information.

• CONTROLLER > Mobility Management > Mobility Anchor Config to configure the symmetric mobility tunneling for mobile clients.

See Mobility Management > Mobility Anchor Configuration for more information.

• CONTROLLER > Mobility Management > Multicast Messaging to configure the controller to use multicast to send the Mobile Announce messages.

See Mobility Management > Mobility Multicast Messaging for more information.

• CONTROLLER > Mobility Management > Switch Peer Group to view existing mobility switch peer groups and their details.

See Mobility Management > Switch Peer Group for more information.

• CONTROLLER > Mobility Management > Switch Peer Group Member to add or remove members to the switch peer group.

See Mobility Management > Switch Peer Group Member for more information.

• CONTROLLER > Mobility Management > Mobility Controller to view all the mobility controllers and their link status.

See Mobility Management > Mobility Controllers for more information.

• CONTROLLER > Mobility Management > Mobility Clients to view all the mobility clients and their parameters.

See Mobility Management > Mobility Clients for more information.

Mobility Management > Mobility ConfigurationChoose CONTROLLER > Mobility Management > Mobility Configuration to navigate to this page.

This page allows you to enable hierarchical mobility and configure its parameters.

Table 4-15 Mobility Configuration Parameters


General

Enable New Mobility Check box that you can select to enable or disable hierarchical mobility.

Note When you enable hierarchical mobility, you must save the config and reboot the controller.

Mobility Parameters



Buttons

• Apply: Sends data to the controller but the data is not preserved across a power cycle; these parameters are stored temporarily in volatile RAM.

Mobility Management > Mobility GroupsChoose CONTROLLER > Mobility Management > Mobility Groups to navigate to this page.

This page lists existing mobility group members by their MAC address and IP address and also indicates whether the mobility group member is local (this Cisco WLC) or remote (any other mobility group member). The first entry is the local Cisco WLC, which cannot be deleted. The following entries are other controllers in the mobility group that can be deleted at any time by choosing Remove. You can also view the hash key of the virtual controller in your domain.

Note You can ping any of the static mobility group members by choosing Ping.

You set the Mobility Group Name that is set on the General page.

Buttons

• New: Adds a new mobility group member.

• Edit All: Displays the Mobility Group Member > Edit All page.

Mobility Oracle Check box that you can select to enable the controller as a Mobility Oracle. The Mobility Oracle is optional, it maintains the client database under one complete mobility domain.

Multicast Mode Check box that you can select to enable or disable multicast mode in a mobility group.

Multicast IP Address Multicast IP address of the switch peer group.

Mobility Oracle IP Address IP address of the Mobility Oracle. You cannot enter the value if you have checked the Mobility Oracle check box.

Mobility Controller Public IP Address IP address of the controller, if there is no NAT. If the controller has NAT configured, the public IP address will be the NATed IP address.

Mobility Keep Alive Interval Amount of time (in seconds) between each ping request sent to an peer controller. The valid range is 1 to 30 seconds, and the default value is 10 seconds.

Mobility Keep Alive Count Number of times a ping request is sent to an peer controller before the peer is considered to be unreachable. The valid range is 3 to 20, and the default value is 3.

Mobility DSCP Value DSCP value that you can set for the mobility controller. The valid range is 0 to 63, and the default value is 0.

Table 4-15 Mobility Configuration Parameters




Mobility Group Member > NewChoose CONTROLLER > Mobility Management > Mobility Groups and then click New to navigate to this page.

This page enables you to add mobility group members.

• Member IP Address—Enables you to enter the management interface IP address of the controller to be added. Both, IPv4 and IPv6 are supported.

Note If you are configuring the mobility group in a network where network address translation (NAT) is enabled, enter the IP address sent to the controller from the NAT device rather than the controller’s management interface IP address. Otherwise, mobility will fail among controllers in the mobility group.

Also, client mobility among controllers works only if you enable auto-anchor mobility or symmetric mobility tunneling. Asymmetric tunneling is not supported when mobility controllers are behind a NAT device.

• Member MAC Address—Enables you to enter the MAC address of the controller to be added. Both, IPv4 and IPv6 are supported.

• Group Name—Enables you to enter the name of the mobility group.

Note The mobility group name is case sensitive.

• Hash—Enables you to configure hash key of the peer mobility controller. This is not supported for IPv6 members.

Note You must configure the hash only if the peer mobility controller is a virtual controller.

Buttons



Mobility Group Member > Edit AllChoose CONTROLLER > Mobility Management > Mobility Groups and then click Edit All to navigate to this page.

This page enables you to edit all the existing Mobility Group members’ MAC addresses, IPv4 and IPv6 addresses in a text box and then to cut and paste all the entries from one Cisco WLC to the other controllers in the mobility group.

Note From Release 8.0, Cisco WLC supports IPv6. The remaining entires will be ignored.



You can edit existing entries in the box and/or paste new entries into the box. In all cases, leave one space between the MAC address and IP address on each line.

The text box on this page makes it easy to avoid data-entry errors while copying the mobility group members list to all the controllers in the same mobility group. Some guidelines are as follows:

• Notice that the text box starts with the local Cisco WLC MAC address and IPv4/IPv6 address.

• In the text box, add the MAC addresses, IPv4/IPv6 addresses, and the mobility group name for the rest of the controllers in the same geographical location (such as a campus or building) that you want to add to the static mobility group.

• When you have added all the Cisco WLC MAC addresses and IP v4/IPv6 addresses to the static mobility group, you can cut and paste the complete list into the corresponding boxes in the Mobility Group Member > Edit All pages in other mobility group member Web User Interface pages.

Note The mobility Group supports a maximum of 72 mobility peers.

Buttons



Mobility Management > Mobility Anchor ConfigurationChoose CONTROLLER > Mobility Management > Mobility Anchor Config to navigate to this page. This page enables you to configure the symmetric mobility tunneling for mobile client features.

Guest N+1 Redundancy

The guest N+1 redundancy feature enables the foreign controller to periodically send ping requests to each anchor controller in the mobility group and enables you to configure the number and interval of requests sent to each anchor controller. Once a failed anchor controller is detected, all of the clients anchored to this controller are deauthenticated so that they can quickly become anchored to another controller.

When using the guest N+1 redundancy and mobility failover features with a firewall, ensure that the following ports are open:

• UDP 16666 for tunnel control traffic

• UDP 16667 for encrypted traffic

• IP Protocol 97 for user data traffic

• TCP 161 and 162 for SNMP

To view the current state of the data and control paths of controllers that have already been configured as mobility anchors, use the Mobility Anchors page.



Symmetric Mobility Tunneling

Note When controllers in the mobility list are running different software releases (such as 5.2, 6.0, and 7.0), Layer 2 or Layer 3 client roaming is not supported between them. It is supported only between controllers running the same release.

The controller provides inter-subnet mobility for clients roaming from one access point to another within a wireless LAN. This mobility is asymmetric so that the client traffic to the wired network is routed directly through the foreign controller.

This mechanism breaks when an upstream router has reverse path filtering (RPF) enabled. In this case, the client traffic is dropped at the router because the RPF check ensures that the path back to the source address matches the path from which the packet is coming.

When symmetric mobility tunneling is enabled, all client traffic is sent to the anchor controller and can then successfully pass the RPF check.

You should also enable symmetric mobility tunneling if a firewall installation in the client packet path may drop the packets whose source IP address does not match the subnet on which the packets are received.

Note Although a Cisco 2000 Series Controller cannot be designated as an anchor for a WLAN when using auto-anchor mobility, it can serve as an anchor in symmetric mobility tunneling to process and forward the upstream client data traffic tunneled from the foreign controller.

Mobility Anchor Config Parameters

Buttons


Table 4-16 Mobility Anchor Config Parameters


Keep Alive Count Number of times a ping request is sent to an anchor controller before the anchor is considered to be unreachable. The valid range is 3 to 20, and the default value is 3.

Keep Alive Interval Amount of time (in seconds) between each ping request sent to an anchor controller. The valid range is 1 to 30 seconds, and the default value is 10 seconds.

Symmetric Mobility Tunneling mode Enabled (Default).

DSCP Value DSCP value that you can set for the mobility anchor. The valid range is 0 to 63.



Mobility Management > Mobility Multicast MessagingChoose CONTROLLER > Mobility Management > Multicast Messaging to navigate to this page.

The controller provides inter-subnet mobility for clients by sending mobility messages to other member controllers. There can be up to 72 members in the list with up to 24 in the same mobility group. The controller sends a Mobile Announce message to members in the mobility list each time a new client associates to it.

You can configure the controller to use multicast to send the Mobile Announce messages. This behavior enables the controller to send only one copy of the message to the network, which designates it to the multicast group that contains all the mobility members. To derive the maximum benefit from multicast messaging, we recommend that it be enabled or disabled on all group members.

• Enable Multicast Messaging—Enables the controller to use multicast to send the Mobile Announce messages. If you leave it unselected, the controller uses unicast mode to send the Mobile Announce messages. The default value is unselected.

• Local Group Multicast IPv4 Address—Enables you to enter the multicast group IPv4 address for the local mobility group. This address is used for multicast mobility messaging.

Note To use multicast messaging, you must configure the IPv4 address for the local mobility group.

• Local Group Multicast IPv6 Address—Enables you to enter the multicast group IPv6 address for the local mobility group. This address is used for multicast mobility messaging.

• Mobility Group—Lists the names of all the currently configured mobility groups.

Note For Release 8.0, IPv6 is not supported for mobility multicast.

Buttons


Mobility Multicast Messaging > EditChoose CONTROLLER > Mobility Management > Multicast Messaging and then click the name of the local mobility group to navigate to this page.

• Mobility Group—Lists the name of all the mobility group.

• Local Group Multicast IP Address—Enables you to enter the multicast group IP address for the nonlocal mobility group. This address is used for multicast mobility messaging.

Note If you do not configure the multicast IP address for nonlocal groups, the controller uses unicast mode to send mobility messages to those members.

Buttons





Mobility Management > Switch Peer GroupChoose CONTROLLER > Mobility Management > Switch Peer Group to navigate to this page.

This page lists all the switch peer groups and their details like bridge domain ID, multicast IP address, and status of the multicast mode. Click the name of the switch peer group to navigate to the Edit page and update the parameters if required.

Mobility Management > Switch Peer Group MemberChoose CONTROLLER > Mobility Management > Switch Peer Member to navigate to this page.

This page lists all the members of the switch peer group along with their group name, IP address, and public IP address.

Buttons

• New: Adds a new member to the switch peer group.

Mobility Management > Mobility ControllersChoose CONTROLLER > Mobility Management > Mobility Controllers to navigate to this page.

This page lists all the mobility controllers. Mobility Controllers are controllers that provide mobility management services for an inter proximity group.

You can see the total number of mobility controllers and details like IP address, MAC address, client count, and link status.

Buttons

• New: Adds a new member to the switch peer group.

Mobility Management > Mobility ClientsChoose CONTROLLER > Mobility Management > Mobility Clients to navigate to this page.

This page lists the total number of mobility clients and their parameters.

Table 4-17 Mobility Client Parameters


Client MAC Address MAC address of the mobility client.

Client IP Address IP address of the mobility client.

Anchor MC IP Address IP address of the anchor Mobility Controller.

Anchor MC Public IP Address Public IP address of the anchor Mobility Controller.


Chapter 4 Controller Tab Ports

PortsChoose CONTROLLER > Ports to navigate to this page.

This page displays the status of each physical port on the Cisco WLC.

• To edit global parameters across all ports, click Configure All to open the Ports > Configure page.

• To edit the parameters for a single port, click the port number link for the port you want to configure. This action brings up a Ports > Configure page.

Note The Cisco 5500 Series and the Cisco Flex 7500 Series Controllers do not support the Spanning Tree Protocol.

Note The physical mode and status may reflect different values depending on the link status. For example, the physical mode may be set to Auto while the actual link is running at 10 Mbps half duplex.

Foreign MC IP Address IP address of the foreign Mobility Controller.

Foreign MC Public IP Address Public IP address of the foreign Mobility Controller.

Client Association Time Time when the mobility client associated with the Mobility Controller.

Client Entry Update Timestamp Timestamp when the client entry is updated.

Table 4-17 Mobility Client Parameters




Port No Port number on the Cisco WLC.

STP Status1 Spanning tree status. Values are Forwarding and Disabled.

Admin Status State of the port as either Enabled or Disabled.

Physical Mode Configuration of the port physical interface.

Available values are as follows:

• Auto

• 100 Mbps Full Duplex

• 100 Mbps Half Duplex



Note In Cisco NM-AIR-WLC6-K9, Cisco 5500 Series, and Cisco Flex 7500 Series controllers, the physical mode is always set to Auto.



Buttons

• Configure All: Opens the Global Port configuration data page.

Ports > ConfigureChoose CONTROLLER > Ports and then click ConfigureAll to navigate to this page.

This page enables you to change the parameters of all front-panel physical ports on the Cisco WLC simultaneously.

Note The Cisco 5500 Series and Cisco Flex 7500 Series Controllers do not support the Spanning Tree Protocol.

Physical Status Displays the actual port physical interface.

Available values are as follows:

• Auto






Link Status Status of the link. Values are Link up or Link Down

Link Trap Port that is set to send a trap when the link status changes. Values include Enable or Disable.

SFP Type Small Form-Factor Pluggable type.

1. The Cisco 5500 and Cisco Flex 7500 Series Controllers do not support the Spanning Tree Protocol.





Buttons



Ports > ConfigureChoose CONTROLLER > Ports and then click on a Port No to navigate to this page.

This page enables you to change the parameters of a single physical port on the Cisco WLC.

Table 4-19 Port Configuration Details


Admin Status Sets the state of all ports to Don’t Apply, Enable or Disable.

Physical Mode Displays the physical mode of all ports.

• Don’t Apply

• Auto






Note In Cisco NM-AIR-WLC6-K9, 5500 series, and 7500 series controllers, the physical mode is always set to Auto.

Link Trap Sets all ports to send or not to send a trap when link status changes. The factory default is Don’t Apply.

STP Mode1

1. The Cisco 5500 Series and Cisco Flex 7500 Series Controllers do not support the Spanning Tree Protocol.

Sets the spanning tree mode on all ports. The factory default is Don’t Apply.

• Don’t Apply

• 802.1D—Enables the ports to participate in the spanning tree and go through all of the spanning tree states when the link state transitions from down to up.

• Off—Disables STP for these ports.

• Fast—Enables the ports to participate in the spanning tree and puts it in the forwarding state when the link state transitions from down to up more quickly than when the STP mode is set to 802.1D.

Note In this state, the forwarding delay timer is ignored on link up.



General Port Configuration

Spanning Tree Protocol Configuration

Note The Cisco 5500 Series and Cisco Flex 7500 Series Controllers do not support the Spanning Tree Protocol.

Table 4-20 General Port Configuration Parameters


Port No Identifies the current port. 13 for optional 1000Base-T or 1000Base-SX module

25 for optional 1000Base-T or 1000Base-SX module

1 for Cisco 4100 Series Wireless LAN Controller 1000Base-SX ports.

Admin Status Sets the state of the port. Enable

Disable

Physical Mode Sets the physical mode of the port. Auto

100 Mbps Full Duplex

100 Mbps Half Duplex

10 Mbps Full Duplex

10 Mbps Half Duplex


Note In Cisco NM-AIR-WLC6-K9, 5500 series, and 7500 series controllers, the physical mode is always set to Auto.

Physical Status Displays the current physical port interface status.


100 Mbps Half Duplex

10 Mbps Full Duplex

10 Mbps Half Duplex


Link Status Displays the status of the link. Link Up

Link Down

Link Trap Sets the port to send or not to send a trap when link status changes. The default is enabled.

Enable

Disable

SFP Type Small Form-Factor Pluggable type. 1000BASETX

Not Present



Table 4-21 Spanning Tree Protocol Configuration


STP Port ID Displays the number of the port for which STP is enabled or disabled.

—

STP Mode Sets the STP administrative mode associated with this port.

Off (default value)—Disables STP for this port.

802.1D—Enables this port to participate in the spanning tree and go through all of the spanning tree states when the link state transitions from down to up.

Fast—Enables this port to participate in the spanning tree and puts it in the forwarding state when the link state transitions from down to up more quickly than when the STP mode is set to 802.1D.

Note In this state, the forwarding delay timer is ignored on link up.

STP State Displays the port's current STP state. It controls the action that a port takes upon receiving a frame.

Disabled—The port is not participating in spanning tree because the port is shut down, the link is down, or STP is not enabled for this port.

Blocking—The port does not participate in frame forwarding.

Listening—The first transitional state after the blocking state when STP determines that the port should participate in frame forwarding.

Learning—The port prepares to participate in frame forwarding.

Forwarding—The port forwards frames.

Broken—The port is malfunctioning.

STP Port Designated Root

Displays the unique identifier of the root bridge in the configuration BPDUs.

–

STP Port Designated Cost

Displays the path cost of the designated port.

–

STP Port Designated Bridge

Displays the identifier of the bridge that the port considers to be the designated bridge for this port.

–

STP Port Designated Port

Displays the port identifier on the designated bridge for this port.

–


Chapter 4 Controller Tab NTP

Buttons



NTPChoose CONTROLLER > NTP to navigate to this page. From here you can choose the following:

• CONTROLLER > NTP > Server to configure the Network Time Protocol parameters.

See NTP > NTP Servers for more information.

• CONTROLLER > NTP > Keys to configure the Network Time Protocol keys.

See NTP > NTP Keys for more information.

NTP > NTP ServersChoose CONTROLLER > NTP > Server to navigate to this page. Use this page to set the Network Time Protocol parameters.

STP Port Forward Transitions Count

Displays the number of times that the port has transitioned from the learning state to the forwarding state.

–

STP Port Priority

Sets the location of the port in the network topology and how well the port is located to pass traffic.

0 to 255

Default value: 128

STP Port Path Cost Mode

Determines whether the STP port path cost is set automatically or specified by the user. If you choose User Configured, you also need to set a value for the STP Port Path Cost parameter.

Auto (default value)

User Configured

STP Port Path Cost

Sets the speed at which traffic is passed through the port. This parameter must be set if the STP Port Path Cost Mode parameter is set to User Configured.

0 to 65535

The default value is 0, which causes the cost to be adjusted for the speed of the port when the link comes up.

Note Typically, a value of 100 is used for 10-Mbps ports and 19 for 100-Mbps ports.

Table 4-21 Spanning Tree Protocol Configuration




Click a server index number to go to the NTP Server > Edit page to change the NTP server IP address.

Remove an NTP server entry by hovering your cursor over the blue drop-down arrow and choosing Remove. You are prompted for confirmation of the NTP server removal.

Ping the NTP server by hovering your cursor over the blue drop-down arrow and choosing Ping.

Buttons


• New: Adds a new item to a list. To set up a new NTP server, click to open the NTP Server > New page.

NTP Server > NewChoose CONTROLLER > NTP > Server and click New to navigate to this page. This page enables you to add a new NTP server.

Table 4-22 NTP Parameters


NTP Polling Interval Seconds Network polling time interval in seconds.

Server Index NTP server index. The Cisco WLC tries Index 1 first, and then Index 2 through 3, in a descending order. If your network is using only one NTP server, you should use Index 1.

Server Address (IPv4/IPv6) IP address of the NTP server. From Release 8.0, IPv4 and IPv6 is supported.

Key Index NTP key index.

NTP Msg Auth Status Authentication Status of NTP message. It could either be AUTH SUCCESS or AUTH DISABLE.

Table 4-23 New Network Time Protocol Server Configuration


Server Index (Priority) NTP server index. The Cisco WLC tries Index 1 first, and then Index 2 through 3, in a descending order. Set this to 1 if your network is using only one NTP server.

Server IP Address (IPv4/IPv6)

IP address of the NTP server. From Release 8.0, NTP Server supports IPv4 and IPv6.

Enable NTP Authentication

Select or unselect the check box to enable or disable NTP authentication.

Key Index Key index of the NTP server. This parameter is available when you enable NTP authentication.



Buttons



NTP Server > EditChoose CONTROLLER > NTP and then click the server index number to navigate to this page. This page enables you to change the NTP server.

Buttons



NTP > NTP KeysChoose CONTROLLER > NTP > Keys to navigate to this page. This page enables you to set the Network Time Protocol keys.

Click a index number to go to the NTP Keys > Edit page to change the NTP key details.

Remove an NTP key entry by hovering your cursor over the blue drop-down arrow and choosing Remove. You are prompted for confirmation of the NTP key removal.

Buttons

New: Adds a new item to a list. To add a new NTP key, click to open the NTP Keys > New page.

Table 4-24 Network Time Protocol Server Configuration Parameters


Server Address (IPv4/IPv6)

IP address of the NTP server. From Release 8.0, NTP Server supports IPv4 and IPv6.

Enable NTP Authentication

Check box that you can select to enable or disable NTP authentication.

Table 4-25 NTP Key Parameters


Index NTP server index.

Key Index NTP key index.



NTP Keys > NewChoose CONTROLLER > NTP > Keys and then click New to navigate to this page. This page enables you to associate a new NTP key to a Server index.

Buttons



NTP Keys > EditChoose CONTROLLER > NTP > Keys and then click the index number to navigate to this page. This page enables you to change the NTP key.

Buttons



Table 4-26 New Network Time Protocol Key Configuration


Key Index NTP server index to which you want to associate the NTP key.

Checksum Checksum that is md5 by default.

Key Format Format of the key.

Choose either ASCII or HEX from the drop-down list.

Key NTP key value.

Table 4-27 Network Time Protocol Key Configuration Parameters


Key Index NTP server index to which you want to associate the NTP key.

Key Format Format of the key.

Choose either ASCII or HEX from the drop-down list.

Key NTP key value.


Chapter 4 Controller Tab CDP

CDP

Controller ConfigurationChoose CONTROLLER > CDP > Controller Configuration to navigate to this page. This page enables you to configure the Cisco Discovery Protocol (CDP).

Cisco Discovery Protocol Overview

The Cisco Discovery Protocol (CDP) is a device discovery protocol that runs on all Cisco-manufactured equipment. A device enabled with CDP sends out periodic interface updates to a multicast address in order to make itself known to neighboring devices.

The default value for the frequency of periodic transmissions is 60 seconds, and the default advertised time-to-live value is 180 seconds. The second and latest version of the protocol, CDPv2, introduces new time-length-values (TLVs) and provides a reporting mechanism that allows for more rapid error tracking, reducing down time.

CDPv1 and CDPv2 are supported on the following devices:

• Cisco Flex 7500 and 5500 Series Controllers

• Lightweight access points

• An access point connected directly to a Cisco Flex 7500 and 5500 Series Controller

This support enables network management applications to discover Cisco devices.

The following TLVs are supported by both the controller and the access point:

• Device-ID TLV: 0x0001—The hostname of the controller, the access point, or the CDP neighbor.

• Address TLV: 0x0002—The IP address of the controller, the access point, or the CDP neighbor.

• Port-ID TLV: 0x0003—The name of the interface on which CDP packets are sent out.

• Capabilities TLV: 0x0004—The capabilities of the device. The controller sends out this TLV with a value of Host: 0x10, and the access point sends out this TLV with a value of Transparent Bridge: 0x02.

• Version TLV: 0x0005—The software version of the controller, the access point, or the CDP neighbor.

• Platform TLV: 0x0006—The hardware platform of the controller, the access point, or the CDP neighbor.

• Power Available TLV: 0x001a—The amount of power available to be transmitted by Power Sourcing Equipment to permit a device to negotiate and select an appropriate power setting.

The following TLVs are supported only by the access point:

• Full/Half Duplex TLV: 0x000b—The full- or half-duplex mode of the Ethernet link on which CDP packets are sent out. This TLV is not supported on access points that are connected directly to a Cisco 5500 Series Controller.

• Power Consumption TLV: 0x0010—The maximum amount of power consumed by the access point. This TLV is not supported on access points that are connected directly to a Cisco Flex 7500, 5500, Series Controllers.

• Power Request TLV:0x0019—The amount of power to be transmitted by a powerable device in order to negotiate a suitable power level with the supplier of the network power.


Chapter 4 Controller Tab PMIPv6

Note Changing the CDP configuration on the controller does not change the CDP configuration on the access points that are connected to the controller. You must enable and disable CDP separately for each access point.

Parameters and Descriptions

For information on displaying CDP neighbor information, see the following topics:

• CDP Neighbors Details

• CDP Neighbors

• CDP AP Neighbors

• CDP Traffic Metrics

Buttons


PMIPv6Proxy Mobile IPv6 (PMIPv6) is a network-based mobility management protocol. The controller uses the PMIPv6 protocol and works with the Mobile Access Gateway (MAG) and ASR5K, the partner Local Mobility Anchor (LMA), to provide seamless mobility of mobile clients. MAG tracks the mobile node and signals the mobile node’s LMA.

Choose CONTROLLER > PMIP to navigate to this page. From here you can choose the following:

• CONTROLLER > PMIP > General to configure global parameters for PMIPv6.

Table 4-28 CDP Global Configuration Parameters

Parameter Description Range Default

CDP Protocol Status Parameter that allows you to enable or disable CDP on the controller.

Note You also need to enable CDP on the access point.

Note Enabling or disabling this feature will be applicable to all the controller ports.

— Enabled

CDP Advertisement Version

Highest CDP version supported on the controller.

Version 1 (v1) or version 2 (v2)

v1

Refresh-time Interval (seconds)

Interval at which CDP messages are to be generated.

5 to 254 seconds 60 seconds

Holdtime (seconds) Amount of time to be advertised as the time-to-live value in generated CDP packets.

10 to 255 seconds 180 seconds



See PMIPv6 > General for more information.

• CONTROLLER > PMIP > LMA to add new and view existing Local Mobility Anchor (LMA) to the controller.

See PMIPv6 > LMA for more information.

• CONTROLLER > PMIPv6 > Profile to view existing PMIPv6 profiles.

See PMIPv6 > Profile for more information.

PMIPv6 > GeneralChoose CONTROLLER > PMIP > General to configure global parameters for PMIPv6.

Note For timer parameters, default values appear in the UI when you reconfigure the domain name.



Domain Name Name of the PMIPv6 domain. The domain name can be up to 127 case-sensitive, alphanumeric characters.

MAG Name Name of the MAG.

Interface Interface of the controller used for PMIPv6.

MAG APN Access Point Name (APN) if you subscribe to a MAG. MAG can be configured for one of the following roles:

• 3gpp—Specifies the role as 3GPP (Third Generation Partnership Project standard)

• lte—Specifies the role as Long Term Evolution (LTE) standard

• wimax—Specifies the role as WiMax

• wlan—Specifies the role as WLAN

By default, the MAG role is WLAN. However, for lightweight access points, the MAG role should be configured as 3GPP. If the MAG role is 3GPP, it is mandatory to specify an APN for the MAG.

Maximum Bindings Allowed

Maximum number of binding entries in the MAG. The range is from 0 to 40000. The default value is 10000.

Binding Lifetime Lifetime of the binding entries in the controller. The binding lifetime should be a multiple of 4 seconds.

The range is from 10 to 65535 seconds. The default value is 3600.

Binding Refresh Time

Refresh time of the binding entries in the MAG. The binding refresh time should be a multiple of 4 seconds.

The range is from 4 to 65535 seconds. The default value is 300 seconds.

Binding Initial Retry Timeout

Initial timeout between the proxy binding updates (PBUs) when the MAG does not receive the proxy binding acknowledgements (PBAs).




PMIPv6 > LMAChoose CONTROLLER > PMIP > LMA to add new and view existing Local Mobility Anchor (LMA) to the controller.

Click New to add a new LMA to the controller.

Buttons

Apply: Adds a new LMA member.

PMIPv6 > ProfileChoose CONTROLLER > PMIPv6 > Profile to navigate to this page. This page lists existing PMIPv6 profiles.

Binding Maximum Retry Timeout

Maximum timeout between the proxy binding updates (PBUs) when the MAG does not receive the proxy binding acknowledgments (PBAs).


Replay Protection Timestamp

Maximum amount of time difference between the timestamp in the received proxy binding acknowledgment and the current time of the day.

The range is from 1 to 255 milliseconds. The default value is 7 milliseconds.

Minimum BRI Retransmit Timeout

Minimum amount of time that the MAG waits before retransmitting the BRI message.


Maximum BRI Retransmit Timeout

Maximum amount of time that the MAG waits before retransmitting the Binding Revocation Indication (BRI) message.


BRI Retries Maximum number of times that the MAG retransmits the BRI message before receiving the Binding Revocation Acknowledgement (BRA) message.




Table 4-30 LMA Parameters


Member Name Name of the LMA connected to the controller. The LMA name can be up to 127 case-sensitive, alphanumeric characters.

Member IP Address

IP address of the LMA connected to the controller.


Chapter 4 Controller Tab Tunneling

Buttons

• New: Adds a new PMIPv6 profile.

Click a PMIPv6 profile to edit the configurations of the PMIPv6 profile.

PMIPv6 Profile > NewChoose CONTROLLER > PMIPv6 > Profile and then click New to navigate to this page. This page allows you to create a new PMIPv6 profile.

Buttons



PMIPv6 Profile > EditChoose CONTROLLER > PMIP > Profile and then click on any profile to navigate to this page. This page allows you to add more NAIs and remove any of the existing NAIs.

Button

• Add NAI: Allows you to add more NAIs.

Tunneling

EoGREChoose CONTROLLER > Tunneling > EoGRE to navigate to this page.

Table 4-31 Profile Parameters


Profile Name Name of the PMIPv6 profile.

Network Access Identifier

Name of the Network Access Identifier (NAI) associated with the profile. The NAI can be up to 127 case-sensitive alphanumeric characters.

LMA Name Name of the LMA to which the profile is associated. The LMA name can be up to 127 alphanumeric, case-sensitive characters.

Access point node Name of the access point node connected to the controller.


Chapter 4 Controller Tab IPv6

ProfilesChoose CONTROLLER > Tunneling > Profiles to navigate to this page.

IPv6

Neighbor Binding TimersChoose CONTROLLER > IPv6 > Neighbor Binding Timers to navigate to this page. This page enables you to configure the Neighbor Binding timers.

Table 4-32 EoGRE Parameters


Heartbeat Interval (Seconds)

The heartbeat is used in the failover mechanism for the AP to detect if the Active TGW went down

Max Heartbeat Skip Count

Number of keepalive retries before a member status is marked ‘Down’.

Add New TGW

TGW Name Name of the tunnel gateway.

TGW IP Address IPv4 address of the tunnel gateway.

TGW List Shows details of the tunnel gateways added. The details include name of the TGW, IPv4 address of the TGW, status of TGW (Up or Down), and the total number of clients associated.

Add New Domain

Domain Name Name of the domain

TGW-1 Name of the primary/active TGW

TGW-2 Name of the secondary/standby TGW

Domain List Shows details of the domains added. The details include domain name, the two TGWs associated with the domain, and the name of the active TGW.



Add New

Profile Name The heartbeat is used in the failover mechanism for the AP to detect if the Active TGW went down


Chapter 4 Controller Tab IPv6


Buttons


RA Throttle PolicyChoose CONTROLLER > IPv6 > RA Throttle Policy to navigate to this page. This page enables you to configure the RA Throttle Policy.

The purpose of the RA Throttle Policy is to limit the amount of multicast Router Advertisements (RA) circulating on the wireless network.


Table 4-34 Neighbor Binding Timer Parameters


Down Lifetime Maximum time, in seconds, that an entry learned from a down interface is kept in the binding table before the entry is deleted or proof is received that the entry is reachable.

0–86400 seconds 300 seconds

Reachable Lifetime Maximum time, in seconds, that an entry is considered reachable without getting a proof of reachability (direct reachability through tracking or indirect reachability through Neighbor Discovery protocol [NDP] inspection). After that, the entry is moved to stale.


Stale Lifetime Maximum time, in seconds, that a stale entry is kept in the binding table before the entry is deleted or proof is received that the entry is reachable.


Unknown Address Multicast NS Forwarding

The controller forwards the IPv6 packets without validating the multicast Neighbor Solicitation (NS) frame.

— —

Table 4-35 RA Throttle Policy Parameters


Enable RA Throttle Policy

IPv6 RA throttling. – Disabled

Throttle Period Duration of throttle period in seconds. 10–86400 seconds

600 seconds


Chapter 4 Controller Tab mDNS

Buttons


RA GuardChoose CONTROLLER > IPv6 > RA Guard to navigate to this page. This page enables you to configure router advertisement (RA) filtering.

RA Guard is a Unified Wireless solution to drop RA from wireless clients. It is configured globally, and by default it is enabled.

Buttons


mDNSMulticast DNS (mDNS) Service Discovery provides a way to announce and discover devices like printers, computers, and services on the local network. mDNS performs DNS queries over IP multicast. mDNS supports zero configuration IP networking. mDNS uses the multicast IP address 224.0.0.251 as the destination address and 5353 as the UDP destination port.

Choose CONTROLLER > mDNS > General to navigate to this page. From here, you can choose the following:

• CONTROLLER > mDNS to configure the global mDNS parameters.

See mDNS > General for more information.

• CONTROLLER > mDNS > Profiles to view the mDNS profiles configured on the controller and create new mDNS profiles.

Max Through Number of RAs that will pass through over a period.

0–256 10

Interval Option Behavior RAs that have an interval option.

Ignore, Passthrough, or Throttle

Passthrough

Allow At-least Minimum number of RAs that will not be throttled per router.

0–32 1

Allow At-most Maximum number of RAs that will not be throttled per router.

0–256 1

No Limit No limit to be placed on the maximum number of RAs that will not be throttled per router.

– Disabled

Table 4-35 RA Throttle Policy Parameters




See mDNS > Profiles for more information.

• CONTROLLER > mDNS > Domain Names to view the domain names and other details of the service providers.

See mDNS > Domain Names for more information.

• CONTROLLER > mDNS > mDNS Browser to view the domain names and other details of the service providers.

See mDNS Browser for more information.

• CONTROLLER > mDNS > mDNS Policies to view the total number of mDNS Service groups.

See mDNS Service Groups for more information.

mDNS > GeneralChoose CONTROLLER > mDNS > General to navigate to this page. This page enables you to configure the global mDNS parameters and update the Master Services database.

, Table 4-36 Profile Parameters


Global Configuration

mDNS Global Snooping

Check box that you select to enable snooping of mDNS packets.

Note The controller does not support IPv6 mDNS packets even when you enable mDNS snooping.

Query Interval mDNS query interval, in minutes, that you can set. The query interval is the frequency at which the Cisco WLC sends periodic queries to all the services defined in the Master Service database. The range is from 10 to 120 minutes. The default value is 15 minutes.

Master Services Database



To view the details of an mDNS service, hover your cursor over the blue drop-down arrow of a service, and choose Details. The mDNS > Service > Detail page appears, for more information, see mDNS > Service > Detail.

mDNS > Service > DetailChoose CONTROLLER > mDNS > General, hover your cursor over the blue drop-down arrow for a service, and choose Details to navigate to this page. This page enables you to view the details of each service.

Service Drop-down list from which you can choose the supported services that can be queried. The following services are available:

• Air Tunes

• Apple File Sharing Protocol (AFP)

• Scanner

• FTP

• iTunes Music Sharing

• iTunes Home Sharing

• iTunes Wireless Device Syncing

• Apple Remote Desktop

• Apple CD/DVD Sharing

• Time Capsule Backup

Click Add after you choose a service.

The controller displays the top 10 services. To add a new mDNS-supported service, choose Other. Specify the service name and service string.

The controller snoops and learns about the mDNS service advertisements only if the service is available in the Master Services database.The controller can snoop and learn a maximum of 64 services.

Service Name Name of the mDNS service.

Service String Unique string associated to an mDNS service. For example,” _airplay._tcp.local.” is the service string associated to Apple TV.

Query Status Check box that you select to enable an mDNS query for a service.



Table 4-37 Service Detail Parameters


Service Name Name of the mDNS service.

Service String Unique string associated to an mDNS service. For example,” _airplay._tcp.local.” is the service string associated to Apple TV.



mDNS > ProfilesChoose CONTROLLER > mDNS > Profiles to view the mDNS profiles configured on the controller and create new mDNS profiles.

After creating a new profile, you must map the profile to an interface group, an interface, or a WLAN. Clients receive service advertisements only for the services associated with the profile. The controller gives the highest priority to the profiles associated to interface groups, followed by the interface profiles, and then the WLAN profiles. Each client is mapped to a profile based on the order of priority.

By default, the controller has an mDNS profile, default-mdns-profile. You cannot delete this default profile.

For more information, see the following topics:

Service ID Unique service ID associated to an mDNS service.

Service Query Status Status of the service query that indicates if the service can be queried by the Cisco WLC. The Cisco WLC queries the service only if the query status is enabled for the service.

Profile Count Number of profiles associated with the service. You can associate multiple services to a profile and map the profile to a WLAN, interface, or an interface group.

Service Provider Count Number of service providers or hosts that provide the service.

Profile Information

Profile Name Names of the profiles associated with the service.

Service Provider Information

MAC Address MAC address of the service provider.

Service Provider Name Name of the service provider. Beginning in Release 8.0 and later releases, the maximum number of service providers for different controller models are as follows:

• Cisco 5500 and 2500 Series Controllers—6400

• Cisco Wireless Services Module 2—6400

• Cisco 8500 and 7500 Series Controllers—16000

VLAN ID VLAN ID of the service provider.

Type Type of service provider that is one of the following:

• Wired— Service provider is on the infrastructure side.

• Wireless— Service provider is a wireless client.

• Wired guest— Service provider is on a guest LAN.

TTL Time to Live (TTL) value in seconds that determines the validity of the service offered by the service provider. The service provider is removed from the controller when the TTL expires.

Time Left Time left in seconds before the service provider is removed from the controller.

Table 4-37 Service Detail Parameters




• Mapping mDNS Profiles to an Interface Group

• Mapping mDNS Profiles to an Interface

• Mapping mDNS Profiles to a WLAN

Buttons

New: Creates a new mDNS profile.

Mapping mDNS Profiles to an Interface Group

To map a profile to an interface group, follow these steps:

Step 1 Choose CONTROLLER > Interface Groups and click the Interface Group name to navigate to the Interface Groups > Edit page.

Step 2 Choose an mDNS profile from the drop-down list.

Mapping mDNS Profiles to an Interface

To map a profile to an interface, follow these steps:

Step 1 Choose CONTROLLER > Interfaces and then click on an interface name to navigate to the Interfaces > Edit page.


Mapping mDNS Profiles to a WLAN

To map a profile to a WLAN, follow these steps:

Step 1 Choose WLANs and click the Profile name to navigate to the WLANs > Edit page.

Step 2 Select the mDNS check box.


Table 4-38 mDNS Profile Parameters


Number of profiles Number of mDNS profiles configured on the controller.

Profile Name Name of the mDNS profile. You can create a maximum of 16 profiles.

Number of Services Number of services in an mDNS profile.



mDNS Profile > EditChoose CONTROLLER > mDNS > Profiles and click the Profile name to navigate to the mDNS Profile > Edit page. You can view the following details of the profile:

• Profile Name

• Profile ID

• Service Count

• Number of interfaces attached

• Number of interface groups attached

• Number of WLANs attached

To add more services to the profile, choose a service from the Service drop-down list and click Add. You can choose from a list of services that are configured in the Master service database. To update the Master service database, choose CONTROLLER > mDNS > General.

mDNS > Domain NamesChoose CONTROLLER > mDNS > Domain Names to view the domain names and other details of the service providers.

Each service advertisement contains a record that maps the domain name of the service provider to the IP address. The mapping also contains details such as the client MAC address, the VLAN ID, the TTL, and the IPv4 address.

Table 4-39 Domain Names Parameters


Number of Domain Name-IP Entries

Count of the domain name IP address mappings.

Domain Name Hostname assigned to each service provider machine.

MAC Address MAC address of the service provider machine.

IP Address IP address of the service provider.

VLAN ID VLAN ID of the service provider.

Type Origin of service that can be one of the following:

• Wired

• Wireless

• Wired guest

TTL Time to Live (TTL) value in seconds that determines the validity of the service offered by the service provider. The service provider is removed from the controller when the TTL expires.

Time Left Time left in seconds before the service provider is removed from the controller.



mDNS BrowserChoose CONTROLLER > mDNS > mDNS Browser to view the total number of services added in the master database.

mDNS Service GroupsChoose CONTROLLER > mDNS > mDNS Policies to view total number of mDNS Service groups.

Creating mDNS Service Group

To map a profile to an service group, follow these steps:

Step 1 Choose CONTROLLER > mDNS >mDNS Policies and click the Add Group button.

Step 2 Enter a service group name in the mDNS Service Group Name textbox.

Step 3 Add a description for the service group in the Description textbox.

Table 4-40 mDNS Browser Parameters


Number of Services Total number of services added in the Master database.

Origin From where mDNS service instances are snooped (source). Can be WIRED/WIRELESS/mDNS-AP/WIRED GUEST.

VLAN Snooped Service instance VLAN.

TTL (seconds) Service instance advertised that service will be available for TTL seconds (time to live).

TTL Left (seconds) Service instance available run time.

Client MAC MAC address of service instance.

AP MAC Service instance joined AP Base MAC.

Service String Unique string associated to an mDNS service, for example,_airplay._tcp.local. is the service string associated with Apple TV.

Table 4-41 mDNS Service Groups Parameters


Number of mDNS Policies Total number of mDNS Service groups. This includes admin created / ISE dynamic policy / SNMP.

Number of Admin Created Policies

Total number of mDNS service groups created by WLC admin.

mDNS Service Group Name

Service group name.

Description Service group description.

Origin Service group origin that is created by WLC admin/ISE/SNMP.


Chapter 4 Controller Tab Advanced

Step 4 Click on Add button to create a new mDNS Service Group.

mDNS Service Group > Edit

Choose CONTROLLER > mDNS > Policies and click the mDNS Service Group Name to navigate to the mDNS Service Groups > Edit page. You can add a MAC Address and a rule to the Service Group.

Advanced

DHCP Choose CONTROLLER > Advanced > DHCP to navigate to this page. This page enables you to set the following DHCP parameters:

Table 4-42 mDNS Service Group > Edit Parameters


mDNS Service Group Name Displays the name of the mDNS Service Group selected for editing.

Service Instance List

MAC Address The MAC address of the service group member.

Name Name assigned to identify the group member.

Location Type Location Type of the service group memner. It can be:

• AP Group

• AP Name

• AP Location

Location Location of the Service Group member. It can be:

• Other

• default-group

Note Location value 'Any' means no policy check on location attribute will be performed..

Note For AP Groups, all available AP Group names will be displayed.

Note For AP Name and AP Location, only “others” will be displayed.

Role Name User type or user group of the user, for example, student,employee.

User Name Name of the user.


Chapter 4 Controller Tab Advanced

Table 4-43 DHCP Parameters


Enable DHCP Proxy Drop-down list from which you can choose to enable or disable DHCP proxy on a global basis, rather than on a WLAN basis. DHCP proxy is enabled by default.

When DHCP proxy is enabled on the controller, the controller unicasts DHCP requests from the client to the configured servers. Consequently, at least one DHCP server must be configured on either the interface associated with the WLAN or the WLAN itself.


DHCP Option 82 Remote Id field format

Provides additional security when DHCP is used to allocate network addresses. Specifically, it enables the controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources. The controller can be configured to add option 82 information to DHCP requests from clients before forwarding the requests to the DHCP server.

Note For DHCP option 82 to work as expected, you must enable DHCP proxy.

Note DHCP option 82 is not supported for use with auto-anchor mobility. See Mobility Anchors for information about anchor mobility.

• AP-MAC—Adds the MAC address of the access point to the DHCP option 82 payload. This is the default value.

• AP-MAC-SSID—Adds the MAC address and SSID of the access point to the DHCP option 82 payload.

• AP-ETHMAC—Adds the Ethernet MAC address of the access point to the DHCP option 82 payload.

• AP-NAME-SSID—Adds the name and SSID of the access point to the DHCP option 82 payload.

• AP-GROUP-NAME—Adds the AP group name of the access point to the DHCP option 82 payload.

• FLEX-GROUP-NAME—Adds the FlexConnect group name of the access point to the DHCP option 82 payload.

• AP-LOCATION—Adds the location of the access point to the DHCP option 82 payload.

• AP-MAC-VLAN-ID—Adds the MAC address and VLAN ID of the access point to the DHCP option 82 payload.

• AP-NAME-VLAN-ID—Adds the name and VLAN ID of the access point to the DHCP option 82 payload.

• AP-ETHMAC-SSID—Adds the MAC address and SSID of the access point to the DHCP option 82 payload.

DHCP Timeout Sets the DHCP timeout in seconds. This value is applicable globally. The valid range is 5 to 120 seconds.


Chapter 4 Controller Tab Controller Spanning Tree Configuration

Buttons


Master Controller ConfigurationChoose CONTROLLER > Advanced > Master Controller Mode to navigate to this page.

This page enables the Cisco WLC to be configured as the master Cisco WLC for your access points that are connected in appliance mode. When there is a master Cisco WLC enabled, all newly added access points with no primary, secondary, or tertiary controllers assigned associate with the master Cisco WLC on the same subnet. This feature enables you to verify the access point configuration and assign primary, secondary, and tertiary controllers to the access point using the All AP Details page.

Note The master Cisco WLC is normally used only while adding new access points to the Cisco Wireless LAN Solution (Cisco WLAN Solution). When no more access points are being added to the network, you should disable the master Cisco WLC.

Note Because the master Cisco WLC is normally not used in a deployed network, the master Cisco WLC setting is disabled upon reboot or OS code upgrade.

Buttons


Controller Spanning Tree ConfigurationChoose CONTROLLER > Advanced > Spanning Tree to navigate to this page.

Note The Cisco 5500 Series Controllers do not support the Spanning Tree Protocol.

The Spanning Tree Protocol (STP) is a link management protocol. Cisco WLANs implement the IEEE 802.1D standard for media access control bridges.

Using the spanning tree algorithm provides redundancy while preventing undesirable loops in a network that are created by multiple active paths between stations. STP enables only one active path at a time between any two network devices (which prevents the loops) but establishes the redundant links as a backup if the initial link fails.

This page enables you to configure the spanning tree algorithm, modify its characteristics, and view statistics.


Chapter 4 Controller Tab Controller Spanning Tree Configuration

Table 4-44 STP Parameters


Spanning Tree Algorithm

Status of whether this Cisco WLC participates in the Spanning Tree Protocol. You can enable or disabled this parameter by selecting the corresponding line on the drop-down entry field. The default is disabled.

Spanning Tree Specification

Indication of what version of the Spanning Tree Protocol is being run. IEEE 802.1D implementations return IEEE 802.1D. If future versions of the IEEE Spanning Tree Protocol are released that are incompatible with the current version, a new value will be defined.

STP Bridge

Priority Value of the writable portion of the bridge ID (the first two octets of the 8 octet long bridge ID). The other (last) 6 octets of the bridge ID are given by the value of the bridge MAC address. The value may be specified as a number between 0 and 65535. The default is 32768.

Maximum Age (seconds)

Value that all bridges use for MaxAge when this bridge is acting as the root. 802.1D-1990 specifies that the range for this parameter is related to the value of STP Bridge Hello Time. The granularity of this timer is specified by 802.1D-1990 to be 1 second. Valid values are 6 through 40 seconds. The default is 20.

Hello Time (seconds) Value that all bridges use for HelloTime when this bridge is acting as the root. The granularity of this timer is specified by 802.1D-1990 to be 1 second. Valid values are 1 through 10 seconds. The default is 2.

Forward Delay (seconds)

Value that all bridges use for ForwardDelay when this bridge is acting as the root. 802.1D-1990 specifies that the range for this parameter is related to the value of STP Bridge Maximum Age. The granularity of this timer is specified by 802.1D-1990 to be 1 second. An agent may return a badValue error if a set is attempted to a value that is not a whole number of seconds. Valid values are 4 through 30 seconds. The default is 15.

STP Statistics

Base MAC Address MAC address used by this bridge when it must be referred to in a unique fashion. When concatenated with dot1dStpPriority, a unique BridgeIdentifier is formed that is used in the Spanning Tree Protocol.

Topology Change Count

Total number of topology changes detected by this bridge since the management entity was last reset or initialized.

Time Since Topology Changed

Time (in days, hours, minutes and seconds) since the last time a topology change was detected by the bridge entity.

Designated Root Bridge identifier of the root of the spanning tree as determined by the Spanning Tree Protocol as executed by this node. This value is used as the root identifier parameter in all configuration bridge PDUs originated by this node.

Root Port Port number of the port that offers the lowest cost path from this bridge to the root bridge.

Root Cost Cost of the path to the root as seen from this bridge.

Max Age seconds Maximum age of the Spanning Tree Protocol information learned from the network on any port before it is discarded.


Chapter 4 Controller Tab Voice Prioritization Configuration

Buttons


Voice Prioritization ConfigurationChoose CONTROLLER > Advanced > Preferred Call to navigate to this page.

Note The Cisco 4400, 5500 Series Controllers, and all nonmesh access points do not support the voice prioritization feature.

The voice prioritization supports the admission of preferred calls for clients that use SIP-based CAC for bandwidth allocation in the controller. Voice prioritization is available only for SIP-based calls, not for TSPEC based calls. The controller gives the highest priority to preferred calls even if there is no bandwidth available in the configured voice pool. The controller should facilitate the urgency of these calls in any way possible without altering the quality of existing calls. If the bandwidth is available, it checks the normal flow and allocates the bandwidth to those calls.

You can configure up to six preferred call numbers. When a call comes to one of the configured preferred numbers, the controller does not check for the CAC limit on the configured voice pool. The controller admits the preferred call if there is some free bandwidth in the 85 percent of the total bandwidth pool. The bandwidth allocation is the same even for roaming-in preferred calls.

The following are the prerequisites for voice prioritization to work:

• WLAN QoS should be set to platinum.

• The ACM should be enabled for the radio.

• The WLAN should have SIP call snooping enabled.

• SIP-based CAC should be enabled.

Hello Time seconds Amount of time between the transmission of configuration bridge PDUs by this node on any port when it is the root of the spanning tree or trying to become the root. This is the actual value that this bridge is currently using.

Forward Delay seconds

Time value that controls how fast a port changes its spanning state when moving toward the forwarding state. The value determines how long the port stays in each of the listening and learning states that precede the forwarding state. This value is also used when a topology change has been detected and is underway to age all dynamic entries in the forwarding database. (This value is the one that this bridge is using, in contrast to STP Bridge Forward Delay that is the value that this bridge and all others would start using if or when this bridge were to become the root.)

Hold Time seconds Minimum time period to elapse between the transmission of configuration BPDUs through a given LAN port. At most, one configuration BPDU shall be transmitted in any Hold Time period.

Table 4-44 STP Parameters



Chapter 4 Controller Tab Voice Prioritization Configuration

Remove a call index entry by hovering your cursor over the blue drop-down arrow and choosing Remove. You are prompted for confirmation of the preferred call removal.

Buttons

Add Number: Adds a new preferred call number to the list. To add a new preferred call, click open the Voice Prioritization > Add Number page.

Voice Prioritization > NewChoose CONTROLLER > Preferred Call and then click Add Number to navigate to this page. This page enables you to add a new preferred number.

Buttons


• Cancel: Disregards any settings or changes.

Table 4-45 Voice Prioritization Parameters


Call Index Configured call index.

Call Number Configured preferred call numbers.

Table 4-46 New Preferred Call Number Parameters


Call Index Call index for a particular preferred number. The valid values are from 1 to 6.

Call Number Preferred call number. When a call comes to any of these numbers, even if there is no bandwidth available in the configured voice pool, the controller facilitates these calls on a priority basis. A maximum of 27 characters is allowed.


C H A P T E R 5
Wireless Tab
The Wireless tab on the menu bar provides access to the Cisco WLAN Solution wireless network configuration. Use the left navigation pane to access specific wireless network parameters. Making this selection from the menu bar opens the All APs page.

You can access the following pages from the Wireless tab:

• All APs

• Load Balancing

• Band Select

• Preferred Calls

• SIP Snooping

• Rx SOP Threshold

• Optimized Roaming

• 802.11a/n/ac Radios

• 802.11b/g/n Radios

• Dual-Band Radios

• Global Configuration

• Mesh

• RF Profiles

• FlexConnect Groups

• FlexConnect ACLs

• 802.11a/n/ac Global Parameters

• 802.11a/n/ac RF Grouping

• 802.11a/n/ac Tx Power Control

• 802.11a/n/ac Dynamic Channel Assignment

• 802.11a/n/ac Coverage Hole Detection

• 802.11a/n/ac RRM

• 802.11a/n/ac Client Roaming

• 802.11a/n/ac Voice Parameters

• 802.11a/n/ac Video Parameters


Chapter 5 Wireless Tab All APs

• 802.11a/n/ac Media Parameters

• 802.11 EDCA Parameters

• 802.11h Global Parameters

• 802.11n/ac (5 GHz) Very High Throughput

• 802.11a/n/ac CleanAir

• 802.11b/g/n Global Parameters

• 802.11b/g/n RF Grouping

• 802.11b Tx Power Control

• 802.11b Dynamic Channel Assignment

• 802.11b Coverage Hole Detection

• 802.11b RRM

• 802.11b/g Client Roaming

• 802.11b/g Client Roaming

• 802.11b/g Voice Parameters

• 802.11b/g/n Video Parameters

• 802.11b/g Media Parameters

• 802.11b/g EDCA Parameters

• 802.11n (2.4 GHz) High Throughput

• Configuring Media Stream

• Media Streams

• Application Visibility and Control

• Country

• Timers

• NetFlow

• QoS Profiles

• QoS Roles for Guest Users

All APsChoose WIRELESS > Access Points > All APs or MONITOR > Summary and click All APs under the AP Summary section to navigate to the All APs page.

This page displays the access points associated with the Cisco WLC. This section consists of the following topics:

• All APs Details

• VLAN Mappings for FlexConnect Access Points

• WebAuth and WebPolicy ACL Mappings for FlexConnect Access Points

• VLAN Mappings for Mesh Access Points

• Neighbor Information of Access Points



• Access Points Statistics

Search AP Filter

Click Change Filter to display the Search APs dialog box (see the following figure) and create or change filter parameters. Click Clear Filter to remove the filter and display the entire access point list.



Note When you enable the MAC address filter, the other filters are disabled automatically. When you enable any of the other filters, the MAC address filter is disabled automatically.

• AP Name—Access point name. If you do not know the exact name of the AP, you can specify the name partially by entering one or more successive characters that are part of the AP name.

• AP Model—Access point model check box where you select and enter the model of the access point.

• Operating Status—Operating status of the access points:

– UP—The access point is up and running.

– DOWN—The access point is not operational.

– REG—The access point is registered to the controller.

– DEREG—The access point is not registered to the controller.

– DOWNLOAD—The controller is downloading its software image to the access point.

• Admin Status—Whether the access points are enabled or disabled on the controller.

• AP Mode—Options to specify the operating mode of the access points: Local, FlexConnect, REAP, Monitor, Rogue Detector, Sniffer, Bridge, and SE Connect. Depending on the capabilities and support available for the APs, one or more options are displayed.

Note The Cisco OEAP 600 Series access point uses Local mode and the settings cannot be altered. The Cisco OEAP 600 Series access point does not support the following AP Modes: Monitor, FlexConnect, Sniffer, Rogue Detector, Bridge, and SE Connect.

Note To configure an access point for wIPS, you must set the AP mode to one of the following from the AP Mode drop-down list: Local, FlexConnect, and Monitor.

• Certificate Type—Check boxes that you can select to specify the types of certificates installed on the access points:

– MIC—Manufactured-installed certificate

– SSC—Self-signed certificate

– LSC—Local significant certificate

• Primary S/W Version—Primary software version.

• Secondary S/W Version—Secondary software version.



Click Find to commit your changes. Only the access points that match your search criteria appear on the All APs page, and the Current Filter parameter at the top of the page specifies the filter used to generate the list (for example, MAC address:00:1e:f7:75:0a:a0, AP Name:pmsk-ap, Operational Status:UP, Status: Enabled, and so on).


All APs SummaryThis table describes the AP parameters.

Table 5-1 All APs Summary Parameters


AP Name Operator-defined name of the access point.

IP Address (IPv4/IPv6)

The IPv4/IPv6 address of the AP. From Release 8.0, Cisco WLC supports IPv6.

AP Model Access point model name.

AP MAC MAC address of the access point.

AP Up Time Amount of time that the access point has been powered up.

Admin Status Administration state of the access point.

Operational Status Operational status of the access point that is either registered (REG) or not registered (DEREG).

PoE Status The power level at which the access point is operating: High (20 W), Medium

(16.8 W), or Medium (15.4 W). The controller auto-detects the access point’s power source and displays the power level.

No: Of Clients The maximum number of clients to be allowed per AP.

Port Access point port number.

AP Mode Access point mode of operation:

• Local

• FlexConnect

• Monitor

• Rogue Detector

• Sniffer

• Bridge

• SE Connect

Note Depending on the capabilities and support available for the APs, one or more of the above options are displayed.



For details on a particular access point, click the access point name to open the All APs Details page for that access point.

To view statistics for an access point in Bridge AP mode, click the blue arrow adjacent the desired access point and choose Statistics. The Access Points Statistics page for the selected access point appears.

To view neighbor statistics for an access point in Bridge AP mode, click the blue arrow adjacent the desired access point and choose Neighbor Information. The Neighbor Information of Access Points page for the selected access point appears.

All APs DetailsChoose WIRELESS > Access Points > All APs and then click an AP name to navigate to the AP Details page.

This page shows the details of the selected access point including the hardware, operating system software, and boot version details.

General Tab

The following parameters are not displayed for ODM access point under General parameters:

• AP Mode

• AP Sub Mode

This table describes the general AP parameters.

Certificate Type Type of certificate:

• MIC (manufactured-installed certificate)

• SSC (self-signed certificate)

• LSC (local significant certificate)

OEAP (OfficeExtend AP)

Whether this access point is an OfficeExtend access point.

Primary SW Version Primary image software version available in the access point.

Backup SW Version Backup image software version available in the access point.

AP Sub Mode • AP Sub Mode field that shows wIPS if the access point in is monitor mode and the wIPS submode is configured on the access point.

• None is displayed if the access point is in local/FlexConnect mode and wIPS submode is not configured.

Note wIPS ELM is not supported on 1130 and 1240 access points.

Download Status Download status of the upgrade image on this access point.

Upgrade Role (Master/Slave)

Role of the access point in the upgrade process. Valid values are Master and Slave.

mDNS Status Status of mDNS.

Table 5-1 All APs Summary Parameters






AP Name User-definable name of the access point.

Location User-definable location name for the access point. You can enter up to 254 characters.

AP MAC Address MAC address of the access point.

Base Radio MAC MAC address of the 802.11a/b/g/n radio.

Admin Status Administration state of the access point.

AP Mode Access point mode of operation. The options are as follows:

Note The Cisco OEAP 600 Series access point uses local mode and these settings cannot be altered. Monitor mode, Sniffer mode, Rogue detector mode, Bridge mode, and SE- Connect modes are not supported on the 600 OEAP series.

• Local—Default option.

• FlexConnect—AP mode that is used for 1130AG, 1140, 1240AG, 1250, and AP801 access points.

• Monitor—Monitor-only mode.

• Rogue Detector—AP mode that monitors the rogue APs; the mode does not transmit or contain rogue APs.

• Sniffer—AP mode that starts sniffing the wireless network on a given channel. It captures and forwards all the packets from the clients on that channel to a remote machine that runs Airopeek or Wireshark (packet analyzers for IEEE 802.11 wireless LANs). It will include information on timestamps, signal strength, packet size and so on.

See the Sniffer Feature topic for more details.

• Bridge—AP mode that is a bridge if you are connecting a root AP.

Note This option is displayed only if the AP is bridge capable.

Note If the AP mode is set to “Bridge” and the AP is not REAP capable, an error is displayed.

• SE-Connect—AP mode that is SE-Connect if you want the access point to perform spectrum intelligence. This field does not appear for Cisco Aironet 1520 and 1550 Series access points.

Note Only Cisco CleanAir-enabled access point radios can be configured for Cisco CleanAir.

Note When an access point is configured in SE-Connect mode, the access point reboots and rejoins the controller. Access points configured in this mode will not serve clients.

Note To configure an access point for wIPS, you must set the AP mode to one of the following from the AP Mode drop-down list: Local, FlexConnect, or Monitor.



AP Sub Mode Access Point submode. The available options are as follows:

• WIPS—The AP is in local, FlexConnect, or monitor mode and the wIPS submode is configured on the access point.

• None—The AP is in local/FlexConnect mode and WIPS submode is not configured on the AP.


Operational Status Operational status of the access point that comes up as either registered (REG) or not registered (DEREG) automatically by the Cisco WLC.

Port Number Access point that is connected to this Cisco WLC port.

Network Spectrum Interface Key

32-digit Network Spectrum Interface (NSI) key. The NSI key is required to configure spectrum expert mode.

Note This parameter is shown only for CleanAir capable access points for only Local, FlexConnect, and SE-Connected mode.

Venue Group Drop-down list from which you can choose a Hotspot group that groups similar Hotspot venues. The following options are available:

• Unspecified

• Assembly

• Business

• Educational

• Factory and Industrial

• Institutional

• Mercantile

• Residential

• Storage

• Utility and Misc

• Vehicular

• Outdoor

Venue Type Drop-down list from which you can choose the type of venue based on the Venue Group that you choose.

Venue Name Venue name that you can provide for this access point. This name is associated with the basic service set (BSS). This name is used in cases where the SSID does not provide enough information about the venue. The venue name is case sensitive and can be up to 252 alphanumeric characters.

Language Language used at the venue. ISO-639 encoded string defining the language used at the venue. This string is a three-character language code. For example, you can enter ENG for English.





The following parameters are not displayed for Cisco OEAP 600 Series access point:

• Predownload Status

• Predownloaded Version

• Predownloaded Next Retry Time

• Predownload Retry Count

• All the predownload parameters

• IOS Version

• Mini IOS Version

This table describes the GPS Location parameters. GPS parameters do not appear if the access point does not have a GPS module or the GPS information is invalid.

Network Spectrum Interface (NSI) Key

When an access point in SE-Connect mode joins a controller, it sends a Spectrum Capabilities notification message, and the controller responds with a Spectrum Configuration Request. The request contains the 16-byte random NSI key generated by the controller for use in NSI authentication. The controller generates one key per access point, which the access point stores until it is rebooted.

The following parameters are applicable to Cisco 1570 Series Access Points

Internal Temperature The Internal Temperature of the AP is displayed in both Celsius and Fahrenheit.

Temperature State The Temperature State is shown to be in one of three states: GREEN, YELLOW, or RED. The GREEN state indicates that the AP is functioning normally and the internal temperature is at an optimal operating temperature; the YELLOW state indicates that the AP state is in transition to either GREEN or RED state; if the AP is in RED state, it means that the internal temperature of the AP has increased and the number of antennas that are used for transmission will be reduced.

Heater Status Not applicable to 1570 APs.

PoE Out State The PoE Out State shows the status of the Power over Ethernet output port from the AP. The PoE Out State can be in OFF or ON state depending on the input power source for the AP.



Table 5-3 GPS Location Parameters


GPS Present GPS module that is installed on the access point or not.

Latitude Latitude information of the access point in the GPS data received.

Longitude Longitude information of the access point in the GPS data received.

Altitude Altitude information of the access point in the GPS data received.

GPS Location Age Time when the GPS data was collected.



This table describes the Cable Modem statistics. The Cable Modem statistics are updated every 5 minutes after the AP is associated with the WLC. The Cable Modem statistics are applicable for Cisco 1572C (internal or external antenna cable modem) access points in local or bridge/Flex-bridge modes.

This table describes the version parameters.

Table 5-4 Cable Modem Statistics


Cable Modem Statistics

Information about the following is shown:

• AP Name

• AP MAC Address

• CM MAC Address

• CM Software Version

• Ethernet Speed

• Ethernet Status

• Docsis Registration Status

• CM Serial Number

• CM Mask

US Channel Status Information about the following is shown:

• Channel ID

• Power Level

• Center Frequency

• Carrier to Noise Ratio

DS Channel Status Information about the following is shown:

• Channel ID

• Power Level

• Center Frequency

Table 5-5 Version Parameters


Primary Software Version

Primary software version.

Backup Software Version

Version of the backup software on this access point.

Predownload Status Predownload status on this access point.

Predownloaded Version

Version of the software that is being predownloaded.

Predownload Next Retry time

Time duration after which this access point will try to perform a predownload operation.



This table describes the IP config parameters.

Predownload Retry Count

Number of times this access point has tried to perform the predownload operation.

Boot Version Boot ROM versions.

IOS Version Cisco IOS software version.

Mini IOS Version Mini-IOS software version.

GPS Location GPS parameters do not appear if the access point does not have a GPS module or the GPS information is invalid.

GPS Present GPS module that is installed on the access point or not.

Latitude Latitude information of the access point in the GPS data received.

Longitude Longitude information of the access point in the GPS data received.

Altitude Altitude information of the access point in the GPS data received.

GPS Location Age Time when the GPS data was collected.

Table 5-5 Version Parameters


Table 5-6 IP Config Parameters


CAPWAP Preferred Mode

Displays the current CAPWAP Preferred mode of the AP. It can be:

• IP Config (Global)— Configured at Controller > General.

• IP Config (AP Group Config)—Configured at WLAN > Advanced > AP Groups > General Tab.

DHCPv6 Address Displays the DHCP IPv6 address.



This table describes the time statistics.

Static IP (IPv4/IPv6) Check box to enable configuration of the AP using static IP address. From Release 8.0, IPv4 and IPv6 are supported.

Static IP (IPv4/IPv6) Static IP address of the access point.

When an access point boots up, it tries to determine if its static IP address is configured or not. If the access point has been configured with a static IP address that is not valid on the network, the access point cannot join the controller and cannot communicate with the rest of the network. In such a scenario, the only way to recover that access point is to manually open the access point door and connect a serial console for configuration purpose.

The access point can be configured in such a way that, even if its static IP address is not valid on the network, it initiates a DHCP process to get a new IP address and use it for communication. This configuration enables the access point to join the controllers on the network.

Note An access point cannot discover the controller using domain name system (DNS) resolution if a static IP address is configured for the access point, unless you specify a DNS server and the domain to which the access point belongs.

Options for this parameter are as follows:

• Unselected—When this check box is not selected, the static IP address is disabled and the access point initiates a DHCP process when it boots up to procure the IP address.

• Checked—When this check box is selected, you can set the following:

– The static IPv4/IPv6 address of the access point.

– The subnet mask/ prefix length assigned to the access point IPv4/IPv6 address.

– The IPv4/IPv6 gateway of the access point.

Click Apply to commit your changes. The access point reboots and rejoins the controller, and the static IP address that you specified in is sent to the access point. You can now configure the DNS server IP address and domain name. To do so, follow these steps:

– In the DNS IP Address text box, enter the IPv4/IPv6address of the DNS server.

– In the Domain Name text box, enter the name of the domain to which the access point belongs.

Click Apply to commit your changes.

Table 5-6 IP Config Parameters




• Click Reset AP Now to reset the access point.

• Click Clear All Config to reset the access point parameters to the factory defaults.

• Click Clear Config Except Static IP to reset the access point parameters to the factory defaults but retains the static IP address information.

Credentials Tab

Note The Credentials Tab is not displayed for ODM access points.

This table describes the credentials parameters.

This table describes the controller configuration parameters.

Table 5-7 Time Statistics Parameters


UP Time Amount of time that the access point has been powered up.

Controller Associated Time

Amount of time that the access point has been associated with the controller.

Controller Associated Latency

Amount of time that the access point took to associate with the controller.

Table 5-8 Credentials Tab Parameters


Over-ride Global credentials

Access point that is prevented from inheriting the global username, password, and enable password from the controller. The default value is unselected.

Username Unique username for this access point.

Password Unique password for this access point.

Enable Password Unique enable password for this access point.

Table 5-9 802.11X Supplicant Credentials Parameters


Over-ride Global credentials

Access point that is prevented from inheriting the global authentication username and password from the controller. The default value is unselected.

Username Unique username for this access point.



Interfaces Tab

Note To enable or disable CDP either on an Ethernet or radio interface, you should enable the global CDP for that particular access point. See Global Configuration for more information.

Note CDP over radio interface is applicable only for mesh APs.

Note The CDP state and CDP configuration are not displayed for the Cisco OEAP 600 Series access point under the Ethernet Interfaces parameters.

This table describes the ethernet interface parameters.

Password Unique password for this access point.

Note You must enter a strong password. Strong passwords have the following characteristics:

• They are at least eight characters long.

• They contain a combination of uppercase and lowercase letters, numbers, and symbols.

• They are not words in any language.

Confirm Password Unique password that you can reenter for this access point.



Table 5-10 Ethernet Interface Parameters


CDP Configuration

Ethernet Interface#

Ethernet interface number.

CDP State Current configured state of CDP on all or a specific Ethernet interface. The status could be enabled or disabled.

Note You can enable or disable CDP on all or a specific Ethernet interface by choosing WIRELESS > Access points > Global Configuration and select CDP State check box over a particular Ethernet interface.

Interface CDP interface name.

Operational Status

Status of the interface.

Tx Unicast Packets

Number of unicast packets transmitted.

Rx Unicast Packets

Number of unicast packets received.



Click an interface name to view its properties.

This table describes the interface parameters.

Tx Non-Unicast Packets

Number of nonunicast packets transmitted.

Rx Non-Unicast Packets

Number of nonunicast packets received.

Table 5-10 Ethernet Interface Parameters


Table 5-11 Interface Properties Parameters

Parameter Name Description


Link speed Speed of the interface in Mbps.

RX Bytes Total number of bytes in the error-free packets received on the interface.

RX Unicast Packets Total number of unicast packets received on the interface.

RX Non-Unicast Packets Total number of nonunicast or multicast packets received on the interface.

Input CRC Total number of CRC error in packets received on the interface.

Input Errors Sum of all errors in the packets while receiving on the interface.

Input Overrun Number of times the receiver hardware was incapable of handing received data to a hardware buffer because the input rate exceeded the receiver's capability to handle the data.

Input Resource Total number of resource errors in packets received on the interface.

Runts Number of packets that are discarded because they are smaller than the medium's minimum packet size.

Throttle Total number of times the interface advised a sending NIC that it was overwhelmed by packets being sent and to slow the pace of delivery.

Output Collision Total number of packets retransmitted due to an Ethernet collision.

Output Resource Resource errors in packets transmitted on the interface.

Output Errors Errors that prevented the final transmission of packets out of the interface.

Operational Status Operational state of the physical Ethernet interface on the AP.



This table describes the radio interface parameters.

Duplex Interface's duplex mode.

TX Bytes Number of bytes in the error-free packets transmitted on the interface.

TX Unicast Packets Total number of unicast packets transmitted on the interface.

TX Non-Unicast Packets Total number of nonunicast or multicast packets transmitted on the interface.

Input Aborts Total number of packets aborted while receiving on the interface.

Input Frames Total number of packets received incorrectly that had a CRC error and a noninteger number of octets on the interface.

Input Drops Total number of packets dropped while receiving on the interface because the queue was full.

Unknown Protocol Total number of packets discarded on the interface due to an unknown protocol.

Giants Number of packets that are discarded because they exceeded the medium's maximum packet size.

Interface Resets Number of times that an interface has been completely reset.

Output No Buffer Total number of packets discarded because there was no buffer space.

Output Underrun Number of times the transmitter has been running faster than the router can handle.

Output Total Drops Total number of packets dropped while transmitting from the interface because the queue was full.

Table 5-11 Interface Properties Parameters

Parameter Name Description

Table 5-12 Radio Interface Parameters


Number of Radio interfaces

Number of radio interfaces.

CDP Configuration

Radio Slot# Slot where the radio is installed.

CDP State Current configured state of CDP on the radio slot. The status could be enabled or disabled.

Note You can enable or disable CDP on all or a specific access point by choosing WIRELESS > Access points > Global Configuration and selecting the CDP State check box over a particular radio interface.



High Availability Tab

The high availability feature is used to help an AP move over to a controller when the current controller fails. The backup and secondary are the fourth and fifth in the order of controllers if primary, secondary, and tertiary controllers are configured under the AP. If the primary, secondary, and tertiary controllers are not configured, then the AP will use the backup primary if the current controller fails.

Note If the AP supports IPv6 then it can discover a WLC over IPv6 CAPWAP tunnel.

Note When the Cisco OEAP 600 Series access point joins the controller, the high availability settings have only the IP address that have been entered in the local UI of the OEAP 600 Series from the controller.

This table describes the high availability parameters.

Radio Interface Type Cisco Radio type. The value is either 802.11a/n/ac, 802.11b/g/n, or 802.11a/b/g/n. 802.11a/b/g/n appears if you have the monitor module for 3600 access points.

Module Type Access Point module type.

Sub Band Radio sub band, if it is active. The value is either 4.9 GHz or 5.8 GHz.

Admin Status Cisco Radio interface status.

Oper Status Cisco Radio operational status.

CleanAir Admin Status

CleanAir administration status.

CleanAir Oper Status

CleanAir operational status.

Regulatory Domain Regulatory domain that is supported or unsupported.

Table 5-12 Radio Interface Parameters


Table 5-13 High Availability Parameters


Primary Controller Name and management IP address of the primary controller. From Release 8.0, IPv4 and IPv6 are supported.

Secondary Controller Name and management IP address of the secondary controller. From Release 8.0, IPv4 and IPv6 are supported.



Inventory Tab

This table describes the inventory parameters.

Tertiary Controller Name and management IP address of the tertiary controller.From Release 8.0, IPv4 and IPv6 are supported.

AP Failover Priority Priority for the access point:

• Low—Assigns the access point to the level 1 priority, which is the lowest priority level. This is the default value.

• Medium—Assigns the access point to the level 2 priority.

• High—Assigns the access point to the level 3 priority.

• Critical—Assigns the access point to the level 4 priority, which is the highest priority level.

Table 5-13 High Availability Parameters


Table 5-14 Inventory Tab Parameters


Product ID Model of the access point.

Version ID Version of the access point.

Serial Number Serial number of the access point; for example, FTX0916T134.

Entity Name Entity name of the access point.

Entity Description Entity description of the access point.

Certificate Type Certificate type as either Self Signed or Manufacture Installed.

FlexConnect Mode Supported

Whether the access point can be configured as a remote edge lightweight access point. The values are Yes or No.

FlexConnect Mode is supported on the 1130AG, 1240AG, and 1250 access points.

Note By default, a VLAN is not enabled on the FlexConnect. After it is enabled, FlexConnect inherits the VLAN name (interface name) and VLAN ID associated to WLANs. This configuration is saved in the access point and received after the successful join response. By default, no VLAN is set as a native VLAN. There must be one native VLAN configured per REAP in a VLAN-enabled domain. Otherwise, REAP cannot send packets to or receive packets from the controller. When the client gets assigned a VLAN from the RADIUS server for the client, that VLAN is associated to the local switched WLAN.

Note Black list—FlexConnect supports the first 128 entries in the list in the standalone mode.



Mesh Tab

Note This tab appears if you set the AP Mode on the General Tab to Bridge.

This table describes the mesh parameters.

Table 5-15 Mesh Tab Parameters


AP Role Root AP or Mesh AP.

Root APs have a wired CAPWAP (Control and Provisioning of Wireless Access Points) protocol connection back to a controller. This connection uses the backhaul wireless interface to communicate to neighboring Mesh APs. Root APs are parent nodes to any bridging or mesh network and connect a bridge or mesh network to the wired network. You can have only one Root AP for any bridged or mesh network.

Mesh APs have no wired connection to a controller. They can be completely wireless supporting clients, communicating to other Mesh APs and a Root AP to get access to the network, or they can be wired and serve as a bridge to a remote wired network.

Bridge Type (Display Only Field) Whether the access point is an indoor or outdoor access point.

Bridge Group Name Bridge group name.

Use bridge group names to logically group the access points and to avoid two networks on the same channel from communicating with each other.

Note For the access points to communicate with each other, they must have the same bridge group name.

Ethernet Bridging Ethernet bridging on the access point.

If the AP Mode is Root AP, Ethernet bridging is enabled by default.

If the AP Mode is Mesh AP, Ethernet bridging is disabled by default.

Enable Ethernet bridging on a Mesh AP if you want to do one of the following:

• Use the mesh nodes as bridges.

• Connect an Ethernet device on the Mesh AP using its Ethernet port.

Note When you enable Ethernet Bridging and click Apply, the Ethernet Bridging Parameters area appears and lists the four Ethernet ports of the mesh access point.

Backhaul Interface (Display Only Field) Backhaul interface (802.11a, 802.11b, 802.11g, or 802.11n).



Note The following parameters appear when you enable Ethernet Bridging and click Apply.

This table describes the Ethernet bridging parameters.

Bridge Data Rate (Mbps)

Rate at which data is shared between the access points. The drop-down list displays the data rates depending on the Backhaul Interface set.

The correct range of values depend on the backhaul interfaces used by the access points.

The data rates (Mbps) are as follows:

• 802.11a: auto, 6, 9, 12, 18, 24, 36, 48, 54

Note In previous software releases, the default value for bridge data rate for 802.11a was 24 Mbps. In controller release 6.0, the default value for the bridge data rate is auto. If you configured the default bridge data rate value (24 Mbps) in a previous controller software release, the bridge data rate is configured with the new default value (auto) when you upgrade to controller software release 6.0. However, if you configured a nondefault value (for example, 18 Mbps) in a previous controller software release, that configuration setting is preserved when you upgrade to software release 6.0.

When the bridge data rate is set to auto, the mesh backhaul chooses the highest rate where the next higher rate cannot be used due to unsuitable conditions for that specific rate (and not because of conditions that affect all rates).

• 802.11b: 1, 2, 5.5, 11

• 802.11g: 1, 2, 5.5, 11, 6, 9, 12, 18, 24, 36, 48, 54

Ethernet Link Status Status of the Ethernet (LAP1510) or Gigabit Ethernet (LAP1522) links. For each link, the status can be Up, Dn, or Na.

Heater Status Status of the heater.

Internal Temperature Internal temperature of the access point in Fahrenheit and Celsius.



Table 5-16 Ethernet Bridging Parameters


Interface Name Name of the interface. Click the interface name to open the VLAN Mappings for Mesh Access Points page.

To configure access mode on a Mesh access point, click the gigabitEthernet1 interface.

To configure trunk mode on a Root or Mesh access point, click the gigabitEthernet0 interface.

Oper Status Operational status of the interface.



FlexConnect Tab

Note This tab appears if you set the AP Mode on the General Tab to FlexConnect.

This table describes the FlexConnect parameters.

Mode Mode of the interface: Normal, Access, or Trunk.

VLAN ID VLAN ID of the interface.



Table 5-17 FlexConnect Parameters


VLAN Support Check box to configure the native VLAN ID and the VLAN mappings.

Note After you enable VLAN support, click Apply to activate the VLAN Mappings button.

Inheritance Level Shows the status of the VLAN Support configuration. If Native VLAN on AP is overridden, then this is shown as Group Specific.

Make VLAN AP Specific/Remove VLAN AP Specific

Drop-down list to configure VLAN support for the FlexConnect AP. When the override flag at the FlexConnect group is disabled, this additional inheritance level configuration is available for the FlexConnect AP. If you choose “Make VLAN AP Specific,” then the VLAN support, Native VLAN ID, and WLAN-VLAN mappings are made specific to this AP and not to the FlexConnect group.

Native VLAN ID VLAN ID number.

VLAN Mappings VLAN mappings for the locally switched WLANs. Click the VLAN Mappings button. You can also view VLAN-ACL mappings on the AP via FlexConnect groups.

FlexConnect Group Name

Name of the group if the access point belongs to a FlexConnect group. See the FlexConnect Groups page for more information about FlexConnect groups.

PreAuthentication Access Control Lists

External WebAuthentication ACLs

ACLs for external web authentication. Click the External WebAuthentication ACLs link to view and configure the ACL mappings and web policy ACLs.

Local Split ACLs ACLs for the local split WLANs. Click the Local Split ACLs link to view and configure the local split ACLs of the REAP groups. These ACLs locally switch traffic in centrally switched WLANs.

Central DHCP Processing

Central DHCP processing parameters. Click the Central DHCP Processing link to view the WLAN DHCP mappings and configure WLAN DHCP parameters such as Central DHCP, Override DNS, and NAT/PAT. Click Add to create a new WLAN DHCP mapping.



Mesh Tab

Note This tab appears only for Mesh APs.

This table describes the mesh parameters.

OfficeExtend AP

Note Only Cisco Aironet 1130 series and 1140 series access points that are joined to a Cisco 5500 Series Controller with a WPlus license can be configured to operate as OfficeExtend access points. For more information, see the OfficeExtend Access Points topic.

Enable OfficeExtend AP

OfficeExtend mode for this access point. The default value is enabled.

Note Unselecting this check box disables OfficeExtend mode for this access point. It does not undo all the configuration settings on the access point.

Enable Least Latency Controller Join

Access point to choose the controller with the least latency when joining. The default value is disabled.

When you enable this feature, the access point calculates the time between the discovery request and the discovery response and joins the Cisco 5500 Series Controller that responds first.

Reset Personal SSID Access point’s personal SSID that you can clear.

Note If you want to clear the access point’s configuration and return it to the default settings, enter the clear ap config Cisco_AP command on the controller CLI.

Table 5-17 FlexConnect Parameters


Table 5-18 Mesh Parameters


AP Role Drop-down list from which you can choose a Root AP or Mesh AP.

Bridge Type Type of bridge that can Indoor or Outdoor.

Bridge Group Name Bridge group names (BGNs) that control the association of mesh access points. BGNs can logically group radios to avoid two networks on the same channel from communicating with each other. The setting is also useful if you have more than one RAP in your network in the same sector (area). The BGN can be a string of up to 10 characters.

Ethernet Bridging Check box that you enable to configure Ethernet bridging. For security reasons, the Ethernet port on all MAPs is disabled by default. It can be enabled only by configuring Ethernet bridging on the root and its respective MAP. You must enable Ethernet bridging in the following scenarios:

• When you want to use the mesh nodes as bridges.

• When you want to connect any Ethernet device such as a video camera on the MAP using its Ethernet port. This is the first step to enable VLAN tagging.



Advanced Tab

The following parameters are not displayed for the Cisco OEAP 600 series access point:

• Cisco Discovery Protocol

• Rogue Detection

• Telnet

• SSH

This table describes the advanced parameters.

Backhaul Interface Backhaul interface on which the access point operates. Backhaul is used to create only the wireless connection between the access points. The default backhaul interface is 802.11a or 802.11a/n/ac depending upon the access point.

Bridge Data Rate Drop-down list from which you can choose the data rate of the bridge. The rate selection is important for effective use of the available RF spectrum. The rate can also affect the throughput of client devices.

Ethernet Link Status Status of the Ethernet link.

Heater Status Heater status of the access point.

Internal Temperature Internal temperature of the access point.

Table 5-18 Mesh Parameters




Regulatory Domains Regulatory domain of the AP.

Country Code Country code. See the Country topic for information on configuring the country code.

Cisco Discovery Protocol

Cisco Discovery Protocol that you can enable or disable. The default is unselected.

Note If CDP is disabled at the controller level, a message “Controller CDP Disabled” appears.

AP Group Name AP Group’s VLANs that you have created.

To associate an AP group VLAN with an access point, follow these steps:

1. Select an AP group VLAN from the drop-down list.

2. Click Apply.

For more information on creating a new AP group and mapping it to an interface, see the AP Groups page.

Statistics Timer Time in seconds that the access point sends its 802.11 statistics to the Cisco WLC.



Data Encryption Datagram Transport Layer Security (DTLS) data encryption that you can enable or disable. The default is unselected.

Cisco 5500 Series Wireless Controllers enable you to encrypt CAPWAP control packets (and optionally, CAPWAP data packets) that are sent between the access point and the controller using DTLS. DTLS is a standards-track Internet Engineering Task Force (IETF) protocol based on TLS. CAPWAP control packets are management packets exchanged between a controller and an access point while CAPWAP data packets encapsulate forwarded wireless frames. CAPWAP control and data packets are sent over separate UDP ports: 5246 (control) and 5247 (data). If an access point does not support DTLS data encryption, DTLS is enabled only for the control plane, and a DTLS session for the data plane is not established.

Note If an access point with data encryption enabled tries to join any other controller, the access point joins the controller, but data packets are sent unencrypted.

DTLS data encryption is enabled automatically for OfficeExtend access points but disabled by default for all other access points. Most access points are deployed in a secure network within a company building, so data encryption is not necessary. The traffic between an OfficeExtend access point and the controller travels through an unsecure public network, so data encryption is more important for these access points. When data encryption is enabled, traffic is encrypted at the access point before it is sent to the controller and at the controller before it is sent to the client.

Note Encryption limits throughput at both the controller and the access point, and maximum throughput is desired for most enterprise networks.

The availability of data DTLS for the 7.1 release is as follows:

• The Cisco 5500 Series Controller will be available with two licenses options. One that allows data DTLS without any license requirements and another image requiring a license to use data DTLS. The images for the DTLS and licensed DTLS images are as follows:

– Licensed DTLS—AS_5500_LDPE_x_x_x_x.aes

– Non licensed DTLS—AS_5500_x_x_x_x.aes

• Cisco 7500, 2500, WiSM2, WLC2—These platforms by default will not contain DTLS. To turn on data DTLS, a license must be installed. That is, these platforms will have a single image with data DTLS turned off. To use data DTLS you must have a license.

Note If your controller does not have data DTLS license and if the access point associated with the controller has DTLS enabled, the data path will be unencrypted.

The following are some of the guidelines when upgrading to or from a DTLS image:

• You cannot install a regular image (DTLS enabled) once a non-DTLS image is installed.

• You can upgrade from one licensed DTLS image to another licensed DTLS image.

• You can upgrade from a regular image (DTLS) to a licensed DTLS image in a two step process.

• You cannot upgrade from a licensed DTLS image to any regular image.

Rogue Detection Rogue detection for individual access points that you can enable or disable. Rogue detection is enabled by default for all access points joined to the controller (except for OfficeExtend access points). The default is unselected.





AP Sub Mode AP submode that displays wIPS if the access point is in Monitor mode (from the AP Mode drop-down list on the General Tab) and the wIPS submode is configured on the access point or None if the access point is in local/FlexConnect modes and wIPS submode is not configured.


Telnet Telnet or SSH connectivity on this access point. The default is unselected.

These protocols make debugging the access point easier, especially when the access point is unable to connect to the controller.

SSH

TCP Adjust MSS Enables the configuration of the maximum segment size (MSS) for transient packets that traverse a router on a per AP basis.

From Release 8.0, the controller supports IPv6. Use the following Global TCP Adjust MSS values for:

• IPv4—Specify a value between 536 and 1363.

• IPv6—Specify a value between 1220 and 1331.

Note Any TCP MSS value that is below 1220 and above 1331 will not be effective for CAPWAP v6 AP

UDP Lite Displays the per AP UDP lite status.

Note The UDP Lite field is displayed only for APs that are associated using CAPWAP v6. This field is not displayed for APs associated using IPv4 address.

Disable LAN Ports Parameter that makes the AP work only as a wireless AP.

Note This option is applicable only for Cisco 600 Series OfficeExtend Access Points.

Disable Personal SSID

Parameter that disallows users from setting up personal SSIDs.

Note This option is applicable only for Cisco 600 Series OfficeExtend Access Points.

LED State Parameter to enable or disable the LED state of the AP to be shown.

LED Flash State • Click the LED flash duration for the AP option and enter the duration range from 1 to 3600 seconds

• Click the Indefinite option to configure the LED to flash indefinitely

• Click the Disable option to stop flashing the LED

Link Latency

Note The Link Latency parameters are not displayed for ODM access points.

Enable Link Latency Link latency for this access point.

Enable link latency to measure the link between an access point and the controller. This feature can be used with all access points joined to the controller but is especially useful for FlexConnect access points (in connected mode) and OfficeExtend access points, for which the link could be a slow or unreliable WAN connection.

Note FlexConnect access points in standalone mode are not supported.

Current (mSec) Current round-trip time (in milliseconds) of CAPWAP heartbeat packets from the access point to the controller and back.

Minimum (mSec) Minimum round-trip time (in milliseconds) of CAPWAP heartbeat packets from the access point to the controller and back since link latency has been enabled or reset.





Maximum (mSec) Maximum round-trip time (in milliseconds) of CAPWAP heartbeat packets from the access point to the controller and back since link latency has been enabled or reset.

Reset Link Latency Link latency statistics on the controller for this access point.

AP Image Download

Note The 1120, 1230, and 1310 access points do not support predownloading of images.

Perform a primary image pre-download for this AP

Primary image predownload. Click Download Primary to perform a primary image predownload for this access point.

An alert box displays the version that would be downloaded when the access point boots. Click OK to continue.

Perform an interchange of both the images on this AP

Interchange of images. Click Interchange Image to change the images on this access point.

A dialog box prompts you to confirm if you want to interchange the images. Click OK to continue.

Perform a backup image pre-download for this AP

Backup image predownload. Click Download Backup to predownload a backup image for this access point.

A pop-up window displays the version that would be downloaded when the access point boots. Click OK to continue.

Power Over Ethernet Settings

Note The Power Over Ethernet Settings parameters are not displayed for Cisco OEAP 600 Series access points.

PoE Status Status that applies only to 1250 series access points that are powered using PoE.

This field shows the power level at which the access point is operating: High (20 W), Medium (16.8 W), or Medium (15.4 W). This field is not configurable. The controller automatically detects the access point’s power source and displays the power level here.

Note There are two other ways to tell if the access point is operating at a lower power level. First, the “Due to low PoE, radio is transmitting at degraded power” message appears under the Tx Power Level Assignment section on the Configuring 802.11a/n APs page. Second, the “PoE Status: degraded operation” message appears in the controller’s trap log on the Trap Logs page.

Pre-Standard State Whether the access point is being powered by a high-power Cisco switch.

Unselect the check box if power is being provided by a power injector.

This option is disabled by default.

Power Injector State Whether the attached switch supports intelligent power management (IPM) and a power injector is being used. If the attached switch supports IPM, you do not need to select this check box.

Power Injector Selection

One of the following options:

• Installed—Select the check box if you want the access point to examine and remember the MAC address of the currently connected switch port (this selection assumes that a power injector is connected).

If you want to configure the switch MAC address, enter the MAC address in the Injector Switch MAC address text box.

• Override—Select the check box to enable the access point to operate in high-power mode without first verifying a matching MAC address.






Sniffer FeatureWhen the sniffer feature is enabled on an access point, the access point functions as a sniffer and captures and forwards all the packets on a particular channel to a remote machine that runs AirMagnet Enterprise Analyzer, Airopeek, or Wireshark. These packets contain information on timestamps, signal strengths, packet sizes and so on.

Note You can enable the sniffer feature only if you are running Airopeek or Wireshark (third-party network analyzer software that supports decoding of data packets).

Injector Switch MAC Address

MAC address of the connected switch port.

AP Core Dump Settings

Note The File Compression parameter is not displayed for ODM access points.

AP Core Dump Upload the access point core dump. The default is enabled.

TFTP Server IP IP address of the TFTP server. From release 8.0, the TFTP server supports IPv6 address too.

File name Access point core dump file (for example, dump.log).

File Compression File compression of the access point core dump file. When you enable this option, the file is saved with a .gz extension (for example, dump.log.gz). This file can be opened with WinZip. The default is disabled.

AP Retransmit Config Parameters

AP Retransmit Count Number of times that you want the access point to retransmit the request to the controller and vice versa. The range is from 3 to 8.

AP Retransmit Interval

Time duration between retransmission of requests. The range is from 2 to 5.

VLAN Tagging Settings

VLAN Tagging VLAN tagging of the CAPWAP packets that you can enable or disable.

Trunk VLAN ID ID of the trunk VLAN.

If the access point is unable to route traffic through the specified trunk VLAN, it untags the packets and reassociates with the controller. The controller sends a trap to a trap server such as the Cisco PI, which indicates the failure of the trunk VLAN.

If the trunk VLAN ID is zero, the access point untags the CAPWAP packets.

VLAN Tag Status Whether the access point tags or untags the CAPWAP packets.





Note You must disable IP-MAC address binding in order to use an access point in sniffer mode if the access point is joined to a Cisco 5500 Series Controller, or a controller network module running software release 6.0. To disable IP-MAC address binding, enter the config network ip-mac-binding disable command from the controller CLI.

Note You must enable WLAN 1 to use an access point in sniffer mode if the access point is joined to a Cisco 5500 Series Controller, or a controller network module running software release 6.0. If WLAN 1 is disabled, the access point cannot send packets.

Before using the sniffer feature, you must configure an access point in sniffer mode at the remote site. See the Cisco Wireless LAN Controller Configuration Guide for installation information for AirMagnet Enterprise Analyzer, Airopeek, and Wireshark packet analyzers for IEEE 802.11 wireless LANs.

Traffic Stream Metrics CollectionChoose MONITOR > Wireless > Clients and then click 802aTSM or 802b/gTSM to navigate to the Traffic Stream Metrics page.

Traffic stream metrics involves collecting of uplink statistics and downlink statistics between an AP and a CCX v4 client and then propagating these statistics periodically back to the controller. If the client is not CCXv4 compliant, then only downlink statistics are captured.

Traffic stream metrics collection can be configured by the user for each interface band (for example, all 802.11a radios). The controller also saves this option in flash memory so that it persists across reboots. Once an AP receives this message, it enables traffic metrics collection feature on the specified interface type.

Every 5 seconds, the AP gets a measurement report for both the uplink (client side) and downlink (local side) measurements. The aggregation of 5-second reports and preparation of 90-second reports is done at the AP. Every 90 seconds, the AP prepares an IAPP data packet and sends it to the controller for further processing. The controller stores the data in its structures and then provides “usmdB” access APIs to the CLI module and the WCS for displaying it on the UI.

Four variables are affected by the WLAN that can affect audio quality: packet latency, packet jitter, packet loss and roaming time. You can isolate the problem of bad voice quality by studying these variables. The traffic stream metrics feature addresses the voice quality issue by providing an administrator with statistics for each of these four variables.

OfficeExtend Access PointsCurrently, Cisco Aironet 1130, 1140, 3502I, 600 series access points that are joined to a Cisco 5500 Series Controller can be configured to operate as OfficeExtend access points.

An OfficeExtend access point provides secure communications from a controller to an access point at a remote location, seamlessly extending the corporate WLAN over the Internet to an employee’s residence. The experience of the teleworker at the home office is exactly the same as it would be at the corporate office. Datagram Transport Layer Security (DTLS) encryption between the access point and the controller ensures that all communications have the highest level of security.



Guidelines and Limitations

1. OfficeExtend access points are designed to work behind a router or other gateway device that is using network address translation (NAT). NAT allows a device, such as a router, to act as an agent between the Internet (public) and a personal network (private), enabling an entire group of computers to be represented by a single IP address. In controller software release 6.0 or later releases, only one OfficeExtend access point can be deployed behind a single NAT device.

2. Rogue detection is disabled when you enable the OfficeExtend mode for an access point. However, you can enable or disable rogue detection for a specific access point by selecting the Rogue Detection check box on the All APs Details for (Advanced) page. Rogue detection is disabled by default for OfficeExtend access points because these access points, which are deployed in a home environment, are likely to detect a large number of rogue devices.

3. DTLS data encryption is enabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable DTLS data encryption for a specific access point by selecting the Data Encryption check box on the All APs Details for (Advanced) page.

4. Telnet and SSH access are disabled when you enable the OfficeExtend mode for an access point. However, you can enable or disable Telnet or SSH access for a specific access point by selecting the Telnet or SSH check box on the All APs Details for (Advanced) page.

5. Link latency is enabled when you enable the OfficeExtend mode for an access point. However, you can enable or disable link latency for a specific access point by selecting the Enable Link Latency check box on the All APs Details for (Advanced) page.

6. The Cisco OEAP 600 Series access point supports a maximum of two WLANs and one remote LAN. If you have configured more than two WLANs and one remote LAN, you can assign the Cisco OEAP 600 Series access point to an AP Group. The support for two WLANs and one remote LAN still applies to the AP Group if the Cisco OEAP 600 Series is in the default group. The WLAN/remote LAN IDs must be less than 8.

7. Only four clients can connect to an Cisco OEAP 600 Series access point through a remote LAN port. This number does not affect the 15-client limit imposed for the Cisco WLC WLANs. The remote LAN client limit supports connecting a switch or hub to the remote LAN port for multiple devices or connecting directly to a Cisco IP phone that is connected to that port. Only the first four devices will be able to connect until one of the devices is idle for more than one minute.

8. CAC is not supported on the Cisco OEAP 600 Series access points.

9. Your firewall must be configured to allow traffic from access points using CAPWAP. Make sure that UDP ports 5246 and 5247 are enabled and are not blocked by an intermediate device that could prevent an access point from joining the Cisco WLC.

controller release 7.1 and later supports OEAP 600 series access points on Cisco 5508, Catalyst 6500 Series Wireless Services Module (WISM-2), and 2500 Series Controllers. Unlike the 1130 and 1140 series access points which required configuration for FlexConnect and setting the sub-mode of the access point to OEAP, the 600 series uses local mode and these settings cannot be altered.

The following access point modes are not supported on the Cisco OEAP 600 Series access points:

• Monitor mode

• FlexConnect mode

• Sniffer mode

• Rogue Detector Bridge mode

• SE-Connect mode



VLAN Mappings for FlexConnect Access PointsChoose WIRELESS > Access Points > All APs, click the AP name of a FlexConnect access point, click the FlexConnect tab, and then click VLAN Mapping to navigate to the VLAN Mappings page. This page enables you to assign a VLAN ID to the FlexConnect access point and configure VLAN mappings for the locally switched WLANs. You can also view VLAN-ACL mappings on the AP via the FlexConnect group.

This table describes the VLAN mapping parameters.


Table 5-20 VLAN Mapping Parameters




WLAN VLAN Mapping

Drop-down list To make the WLAN-VLAN mapping as either specific the FlexConnect AP or to remove the configuration.

WLAN ID WLAN ID number.

SSID Name of the WLAN.

VLAN ID Number of the VLAN from which the clients receive an IP address when doing local switching.

NAT-PAT Status of Network Address Translation and Port Address Translation on the locally switched WLANs.

Inheritance Shows the VLAN support inheritance status.

Centrally Switched WLANs

WLAN ID WLAN ID to which this is mapped to.

SSID Service Set Identifier of the WLAN.

VLANID VLAN ID of the WLAN.

AP Access point name.

AP Level VLAN ACL Mapping

VLAN Id VLAN ID.

Ingress ACL Name of the Ingress ACL.

Egress ACL Name of the Egress ACL.

Group Level VLAN ACL Mapping

VLAN Id VLAN ID.

Ingress ACL Name of the Ingress ACL.

Egress ACL Name of the Egress ACL.



WebAuth and WebPolicy ACL Mappings for FlexConnect Access PointsChoose WIRELESS > Access Points > All APs, > AP_name > FlexConnect tab, and click the External WebAuthentication ACLs link to navigate to the External WebAuthentication ACLs page. This page enables you to configure WLAN ACL mappings for FlexConnect access points and to add WebPolicy ACLs.

This table describes the WebAuth and WebPolicy ACL mappings parameters.


Local Split ACL Mappings (for FlexConnect Access Points)Choose WIRELESS > Access Points > All APs, > AP_name > FlexConnect tab, and click the Local Split ACLs link to navigate to the Local Split ACLs page. This page enables you to configure local split ACLs for FlexConnect access points.

This table describes the local split ACL mappings parameters.

Table 5-21 WebAuth and WebPolicy ACL Mappings for FlexConnect Access Points




WLAN ACL Mapping


WebAuth ACL Drop-down list from which you can choose the FlexConnect ACL for external web authentication in locally switched WLANs. Click Add to configure the WLAN ACL Mapping.

WebPolicies

WebPolicy ACL Drop-down list from which you can select a FlexConnect ACL to be added as a web policy. Click Add to add the WebPolicy ACL.

Note You can configure up to 16 WebPolicy ACLs that are specific to an access point.

Table 5-22 Local Split ACL Mappings for FlexConnect Access Points




WLAN ACL Mapping




Central DHCP ACL Mappings for FlexConnect Access PointsChoose WIRELESS > Access Points > All APs, > AP_name > FlexConnect tab, and click the Central DHCP Processing link to navigate to the Central DHCP Processing page. This page enables you to configure central DHCP, override DNS, and enable NAT/PAT on a WLAN.

This table describes the central DHCP mappings parameters.


VLAN Mappings for Mesh Access PointsChoose WIRELESS > Access Points > All APs, click the AP name of a mesh (bridge) access point, click the Mesh tab, and then click an Ethernet interface from the Ethernet Bridging area to navigate to the VLAN Mappings page.

Note The Ethernet Bridging area appears after you enable Ethernet Bridging and click Apply.

Ethernet VLAN tagging allows specific application traffic to be segmented within a wireless mesh network and then forwarded (bridged) to a wired LAN (access mode) or bridged to another wireless mesh network (trunk mode).


Local-split ACL Drop-down list from which you can choose the Local Split ACL to locally switch traffic in centrally switched WLANs. Click Add to configure the local split ACL mappings.

Local-split configuration is applied specific to a WLAN. You can also apply this configuration from a FlexConnect group or from an AP. If the local-split configuration is applied at both the FlexConnect group level and AP level, then the configuration applied at the AP level has higher priority. In other words, the FlexConnect ACL specific to the AP has higher priority.

Table 5-22 Local Split ACL Mappings for FlexConnect Access Points


Table 5-23 Central DHCP Mappings for FlexConnect Access Points




WLAN DHCP Mapping




Configure access mode on gigabitEthernet1. Configure trunk mode on gigabitEthernet0.

Note Configurations on gigabitEthernet2 and gigabitEthernet3 interfaces are not supported.

Configuring Access Mode

To configure a mesh access point (MAP) access port, follow these steps:

Step 1 Choose access from the mode drop-down list.

Step 2 Enter a VLAN ID. The VLAN ID can be any value between 1 and 4095.

Step 3 Click Apply.

Note VLAN ID 1 is not reserved as the default VLAN.

Note A maximum of 16 VLANs are supported across all of a RAP’s subordinate MAPs.

Configuring Trunk Mode

To configure a root access point (RAP) or MAP trunk port, follow these steps:

Step 1 Choose trunk from the mode drop-down list.

Step 2 Enter a native VLAN ID for the incoming traffic. The native VLAN ID can be any value between 1 and 4095. Do not assign any value assigned to a user-VLAN (access).

Step 3 Click Apply.

A trunk VLAN ID text box and a summary of configured VLANs appears at the bottom of the page. The trunk VLAN ID text box is for outgoing packets.

Step 4 Enter a trunk VLAN ID for outgoing packets:

a. If forwarding untagged packets, do not change the default trunk VLAN ID value of zero (MAP-to-MAP bridging, campus environment).

b. If forwarding tagged packets, enter a VLAN ID (1 to 4095) that is not already assigned (RAP to switch on wired network).

Step 5 Click Add to add the trunk VLAN ID to the allowed VLAN list. The newly added VLAN appears under Configured VLANs on the page.

To remove a VLAN from the list, click the blue arrow adjacent the desired VLAN and choose Remove.




Neighbor Information of Access PointsChoose WIRELESS > Access Points > All APs, click the blue arrow adjacent the desired access point and choose Neighbor Information to navigate to the Neighbor Information page.

This page lists the parent, children, and neighbors of the access point. It provides each access point’s name and radio MAC address.

To perform a link test between the access point and its parent or children, click the blue arrow adjacent the desired access point and choose LinkTest. A dialog box appears.

Click Submit to start the link test. The link test results appear on the Mesh > LinkTest Results page.

• To view the details for any access point on this page, click the blue arrow adjacent the desired access point your cursor over the blue drop-down arrow for the desired access point and choose Details. The Link Details of Access Points page appears.

• To view statistics for any access point on this page, click the blue arrow adjacent the desired access point and choose Stats. The Mesh Neighbor Statistics page appears.

Link Details of Access PointsChoose WIRELESS > Access Points > All APs, click the blue arrow adjacent the desired access point and choose Details to navigate to the Link Details page.

This page displays the following details:

• Neighbor Local Mode AP Fast Heartbeat Timeout (1 to 10)

• Neighbor MAC Address

• Neighbor Type

• Channel

• Backhaul Data Rate

• Link SNR

• Time of Last Hello

Mesh Neighbor StatisticsChoose WIRELESS > Access Points > All APs, click the blue arrow adjacent the desired access point and choose Stats to navigate to the Neighbor Statistics page.

This page displays the following details:

• Neighbor AP Name/MAC Address

• Neighbor Base Radio MAC Address

• Packets Transmitted as Parent

• Packets Received as Parent

• Total Tx Packets

• Total Tx Successful

• Total Tx Retries



• Poor SNR Rx

Access Points StatisticsChoose WIRELESS > Access Points > All APs, click the blue arrow adjacent the desired access point and choose Statistics to navigate to the Access Points Statistics page.

This page provides the following information:

• AP Role—Role of the access point in the mesh network RootAP or MeshAP

• Bridge Group Name—Name of the bridge group to which the access point belongs

• Backhaul Interface—Backhaul interface on which the access point operates

• Switch Physical Port—Number of the physical switch port

Mesh Node Stats

This table describes the mesh node parameters.

Queue Stats

This table describes the queue statistics.

Table 5-24 Mesh Node Parameters


Malformed Neighbor Packets Number of malformed packets received from the neighbor. Examples of malformed packets include malicious floods of traffic such as malformed or short DNS packets and malformed DNS replies.

Poor Neighbor SNR Reporting Number of times the signal-to-noise ratio falls below 12 dB on the backhaul link.

Excluded Packets Number of packets received from excluded neighbor mesh access points.

Insufficient Memory Reporting Number of insufficient memory conditions.

Rx Neighbor Requests Number of broadcast and unicast requests received from the neighbor mesh access points.

Rx Neighbor Responses Number of responses received from the neighbor mesh access points.

Tx Neighbor Requests Number of unicast and broadcast requests sent to the neighbor mesh access points.

Tx Neighbor Responses Number of responses sent to the neighbor mesh access points.

Parent Changes Count Number of times that a mesh access point (child) moves to another parent.

Neighbor Timeouts Count Number of neighbor timeouts.



Mesh Node Security Stats

This table describes the mesh node security statistics.

Table 5-25 Queue Statistics Parameters


Gold Queue Average and peak number of packets waiting in the gold (video) queue during the defined statistics time interval.

Silver Queue Average and peak number of packets waiting in the silver (best effort) queue during the defined statistics time interval.

Platinum Queue Average and peak number of packets waiting in the platinum (voice) queue during the defined statistics time interval.

Bronze Queue Average and peak number of packets waiting in the bronze (background) queue during the defined statistics time interval.

Management Queue Average and peak number of packets waiting in the management queue during the defined statistics time interval.

Table 5-26 Mesh Node Security Statistics Parameters


Transmitted Packets Number of packets transmitted during security negotiations by the selected mesh access point.

Received Packets Number of packets received during security negotiations by the selected mesh access point.

Association Request Failures Number of association request failures that occur between the selected mesh access point and its parent.

Association Request Timeouts Number of association request timeouts that occur between the selected mesh access point and its parent.

Association Requests Successful Number of successful association requests that occur between the selected mesh access point and its parent.

Authentication Request Failures Number of failed authentication requests that occur between the selected mesh access point and its parent.

Authentication Request Timeouts Number of authentication request timeouts that occur between the selected mesh access point and its parent.

Authentication Requests Successful Number of successful authentication requests between the selected mesh access point and its parent.

Reassociation Request Failures Number of failed reassociation requests between the selected mesh access point and its parent.

Reassociation Request Timeouts Number of reassociation request timeouts between the selected mesh access point and its parent.

Reassociation Requests Successful Number of successful reassociation requests between the selected mesh access point and its parent.

Reauthentication Request Failures Number of failed reauthentication requests between the selected mesh access point and its parent.



Link Test

Choose WIRELESS > Access Points > All APs/Detail, and then click Link Test to navigate to the Link Test page.

You can test the status of a bridge connection using the link test. Using the link test, you can configure and execute tests, check the status of a test, and access test data.

This test involves one transmitting WRAP and one receiving WRAP. A WRAP can run only one test at a time; you cannot have multiple WRAPs transmitting to one receiving WRAP.

The link test page displays the link test parameters and the results of the last link tests, sorted by the link test ID. The link test ID is the receiving access point’s ID.

This table describes the link test parameters.

Reauthentication Request Timeouts Number of reauthentication request timeouts that occur between the selected mesh access point and its parent.

Reauthentication Requests Successful

Number of successful reauthentication requests that occur between the selected mesh access point and its parent.

Unknown Association Requests Number of unknown association requests received by the parent mesh access point from its child. The unknown association requests often occur when a child is an unknown neighbor mesh access point.

Invalid Association Requests Number of invalid association requests received by the parent mesh access point from the selected child mesh access point. This state may occur when the selected child is a valid neighbor but is not in a state that allows association.

Reauthentication Requests Number of unknown reauthentication requests received by the parent mesh access point node from its child. This state may occur when a child mesh access point is an unknown neighbor.

Invalid Reauthentication Requests Number of invalid reauthentication requests received by the parent mesh access point from a child. This state may occur when a child is a valid neighbor but is not in a proper state for reauthentication.

Unknown Reassociation Requests Number of unknown reassociation requests received by the parent mesh access point from a child. This state may occur when a child mesh access point is an unknown neighbor.

Invalid Reassociation Requests Number of invalid reassociation requests received by the parent mesh access point from a child. This state may occur when a child is a valid neighbor but is not in a proper state for reassociation.

Table 5-26 Mesh Node Security Statistics Parameters




Note Before conducting a link test on a receiving WRAP, go to the Link Test Results of that WRAP and click Clear to clear the existing Link Test Results.

Specify your link test values and click Link Test.

The link test is conducted for the duration that you specify. If the test is successful, the Link Test Results field parameters are populated with the latest link test results for the selected Bridged Neighbor AP (Link Test ID).

Link Test Results

This table lists the link test result parameters.

Table 5-27 Link Test Parameters


AP Name (Display Only Field) The transmitting WRAP name.

AP MAC address (Display Only Field) The transmitting WRAP MAC address.

AP Role (Display Only Field) The transmitting WRAP role.

Bridged Neighbor AP WRAP whose link you want to test. This is the Link Test ID.

Make sure to clear the existing link test results using the Clear option at the bottom of that WRAP’s Link Test Results area. For example, if you are conducting the link test on Bridged Neighbor AP 8, go to the Link Test Results section, scroll to the Link Test ID 8, and click Clear.

Packet Size Packet size. The range is from 0 to 2300.

Bytes per Second Bytes per second. This value can be up to 80% of the data rate.

Duration in Seconds Test duration. The range is from 10 to 300 seconds.

Data Rate (Mbps) The valid data rates are as follows:

• 802.11a: 6, 9, 12, 18, 24, 36, 48, 54

• 802.11b: 1, 2, 5.5, 11

• 802.11g: 1, 2, 5.5, 11, 6, 9, 12, 18, 24, 36, 48, 54


Chapter 5 Wireless Tab 802.11a/n/ac Radios

802.11a/n/ac RadiosChoose WIRELESS > Access Points > Radios > 802.11a/n/ac or MONITOR > Summary and click 802.11 a/n/ac radios to navigate to the 802.11 a/n/ac Radios page.

This page displays an overview of your 802.11a/n/ac Cisco Radio network. The status of each 802.11a/n/ac Cisco Radio configured on this Cisco WLC and its profile is detailed here.

Beginning in controller Release 7.5 and later, 802.11ac APs are supported in the controller. 802.11ac, a 5 GHz-only technology, is a faster and a more scalable version of 802.11n. The 802.11n inherits the

properties of the 802.11n radio.

• To configure the identified Cisco Radio, click the blue arrow adjacent the desired radio and choose Configure (Configuring 802.11a/n APs).

• To view details about the identified Cisco Radio, click the blue arrow adjacent the desired radio and choose Details (802.11a/n/ac AP Interfaces Details).

Table 5-28 Link Test Result Parameters


Link Test ID Receiving WRAP ID specified using the Bridged Neighbor AP field.

Bridged Neighbor AP Receiving WRAP whose link was tested.

Tx Packets Number of packets transmitted during the link test duration.

Tx Dropped Packets Number of transmitting packets dropped during the link test duration.

The transmitting WRAP can only send data at a certain rate. If more data is received than can be sent, it is stored in the buffer. If the buffer is full, some packets are dropped.

Rx Good Packets Number of good packets received during the link test duration.

Rx Lost Packets Number of lost packets during the link test duration.

Rx Out of Order Packets Number of packets received that were not in the order at which they were transmitted during the link test duration.

Packets are received by the receiving WRAP in the order that they were sent by the transmitting WRAP. For example, the second packet transmitted is expected to reach the receiving WRAP as the second packet. If the packet that was sent second reaches the receiving WRAP after it received the forth packet, the second packet is an out of order packet.



Search AP Filter

Click Change Filter to display the Search APs dialog box (see the following figure) to create or change filter parameters. Click Clear Filter to remove the filter and display the entire access point list.

You can create a filter to display the list of access points by MAC addresses or AP names.


• MAC Address—MAC address text box where you enter a MAC address.

• AP Name—AP Name text box where you enter an access point name.

• CleanAir Oper Status—Operational status of the CleanAir capable access point.

Note When you enable filtering by the MAC address, the other filters are disabled automatically. However, you can use a combination of the AP name and CleanAir operational status to filter access points.

Click Find to commit your changes. Only the access points that match your search criteria appear on the 802.11a/n/ac Radios page, and the Current Filter parameter at the top of the page specifies the filter used to generate the list (for example, MAC address:00:1e:f7:75:0a:a0 or AP Name:pmsk-ap).


This table lists the 802.11 a/n/ac radio parameters.

Table 5-29 802.11 a/n/ac Cisco Radio Summary Parameters



Radio Slot# Slot in which the radio is installed.

Note Radio slot 2 information for all the AP 3600 radios appears when the 802.11ac radio is plugged in.

Base Radio MAC MAC address of the 802.11a/n/ac radio.

Sub Band Radio sub band, if it is active. The value is 4.9 GHz or 5.8 GHz.

Admin Status Admin status of the access point on this radio.

Operational Status Cisco Radio operational status.

Channel Channel number of the access point.


Administration status of the spectrum sensor for the access point.



Configuring 802.11a/n APsChoose WIRELESS > Access Points > Radios > 802.11a/n/ac, click the blue arrow adjacent the desired access point and choose Configure to navigate to the Configure page. For details on configuring an 802.11ac radio on access points, see Configuring 802.11ac Radio in Access Points.


Status of the spectrum sensor for this access point. The CleanAir status is one of the following:

• UP—The spectrum sensor for the access point radio is operational (error code 0).

• DOWN—The spectrum sensor for the access point radio is not operational because an error has occurred. The most likely reason for the error is that the access point radio is disabled (error code 8). To correct this error, enable the radio.

• ERROR—The spectrum sensor for the access point radio has crashed (error code 128), making CleanAir monitoring nonoperational for this radio. If this error occurs, reboot the access point. If the error continues to appear, you might want to disable CleanAir functionality on the radio.

• N/A—This access point radio cannot support CleanAir functionality. Only Cisco CleanAir-enabled access point radios can be configured for Cisco CleanAir.

Note You can create a filter to make the 802.11a/n Radios page or the 802.11b/g/n Radios page show only access point radios that have a specific CleanAir status (such as UP, DOWN, ERROR, or N/A). This feature is especially useful if your list of access point radios spans multiple pages, preventing you from viewing them all at once. To create a filter, click Change Filter to open the Search AP page, select one or more of the CleanAir Status check boxes, and click Find. Only the access point radios that match your search criteria appear on the 802.11a/n Radios page or the 802.11b/g/n Radios page, and the Current Filter parameter at the top of the page specifies the filter used to generate the list (for example, CleanAir Status: UP).

Radio Role Radio role for the backhaul, either UPLINK or DOWNLINK.

Power Level Transmit power level for the access point:

• 1 = Maximum power allowed per Country Code setting

• 2 = 50% power

• 3 = 25% power

• 4 = 6.25 to 12.5% power

• 5 = 0.195 to 6.25% power

Note The power levels and available channels are defined by the Country Code setting and are regulated on a country by country basis.

Antenna Internal or external antennas.

Table 5-29 802.11 a/n/ac Cisco Radio Summary Parameters




This page enables you to configure parameters specifically for this Cisco Radio including the antenna type, RF channel, and Tx power level assignments. The performance profile for this Cisco Radio is also accessed through this page.

General

This table describes the general 802.11a/n/ac parameters.

Link Parameters

These parameters are displayed for the 802.11a/n/ac radios on the Mesh access points.

This table describes the link parameters.

11n Parameters

This table describes the 802.11n parameters.

Clean Air

This table describes the CleanAir configuration parameters.



AP Name (Display Only Field) Customer-definable name of the access point.

Admin Status Interface status of enabled or disabled. The default is enabled.

Note If you disable 802.11n, the 802.11ac radio is also disabled.

Operational Status (Display Only Field) Cisco Radio operational status: either UP or DOWN. The default is UP.

Slot # Slot where the radio is installed.

Table 5-31 Link Parameters


Radio Role Radio role for the backhaul of UPLINK or DOWNLINK.

Source Backhaul MAC MAC address of the source backhaul radio.

Table 5-32 11n Parameters


11n Supported (Display Only Field) Indicates whether 802.11n is supported.

11ac Supported (Display Only Field) Indicates whether 802.11ac is supported. This field appears only for 802.11ac slave radios on slot 2.



Antenna Parameters

This table describes the antenna parameters.

Table 5-33 CleanAir Parameters


CleanAir Capable (Display Only Field) CleanAir capability of the access point. Whether the access point is CleanAir capable.

CleanAir Admin Status Status of the CleanAir admin that you can enable or disable. The default is disabled.

Table 5-34 Antenna Parameters


Antenna Type Internal or external antenna type.

Antenna

(Displayed if 11n is supported)

Specific antennae for the access point that you can enable or disable:

• A—Right antenna port

• B—Left antenna port

• C—Center antenna port

• D—Dua-band antenna

By default, all are selected. For example, to enable transmissions from antenna ports A and B and receptions from antenna port C, you should select the following check boxes: Tx: A and B and Rx: C.

Valid combinations are A, A+B, A+B+C, or A+B+C+D.

When you select a dual-mode antenna, you can apply only a single spatial 802.11n stream rate. The range is from MCS 0 to 7.

When you select two dual-mode antennae, you can apply only two spatial 802.11n stream rates: The range is from MCS 0 to 15.

You must enable two antennae for dual-band access points such as Cisco Aironet 1600 Series Access Point and Cisco Aironet 3600 Series Access Point.



Sniffer Channel Assignment

Note This area is displayed if you set the AP Mode on the General Tab to Sniffer.

This table describes the sniffer channel assignment parameters.

RF Channel Assignment


This table describes the RF channel assignment parameters.

Diversity

(Displayed if 11n is not supported)

Select one of the following:

• Enable—Enables diversity on both the connectors.

• Right—Enables diversity for the Right (Connector B) antenna.

• Left—Enables diversity for the Left (Connector A) antenna.

Antenna Gain Antenna gain.

If you have a high-gain antenna, enter a value that is twice the actual dBi value (see the Cisco Aironet Antenna Reference Guide for antenna dBi values). Otherwise, enter 0.

For example, if your antenna has a 4.4 dBi gain, multiply the 4.4 dBi by 2 and round down to enter only the whole number (8). The controller reduces the actual equivalent isotropic radiated power (EIRP) to make sure that the antenna does not violate your country's regulations.

Note This option is available only if the antenna type is set to external.



Table 5-35 Sniffer Channel Assignment Parameters


Sniff Sniffer operation that you can enable or disable.

When enabled, the access point begins capturing and forwarding all the packets from the client on a specific channel to a remote machine that runs Airopeek or Wireshark (packet analyzers for IEEE 802.11 wireless LANs). The default value is disabled (or unselected).

Channel Channel on which the access points sniffs for packets. The default value is 1.

Server IP Address IP address of the remote machine running Airopeek or Wireshark.


http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-antennas-accessories/product_data_sheet09186a008008883b.html


Table 5-36 RF Channel Assignment Parameters


Current Channel (Display Only Field) Channel number of the access point.

Note The channels 1, 6, and 11 are nonoverlapping.

Channel Width1

1. Statically configuring an access point’s radio for the 20-MHz, 40-MHz, or 80-MHz mode overrides the globally configured DCA channel width setting on the 802.11a/n/ac Dynamic Channel Assignment page. If you ever change the static RF channel assignment method back to Global on the access point radio, the global DCA configuration overrides the channel width configuration that the access point was previously using.

Set the RF channel Assignment Method to Custom, and select one of the following channel widths:

• 20 MHz—Enables the radio to communicate using only 20-MHz channels. Choose this option for legacy 802.11a radios, 20-MHz 802.11n radios, or 40-MHz 802.11n radios that you want to operate using only 20-MHz channels. This is the default value.

• 40 MHz—Enables 40-MHz 802.11n radios to communicate using two adjacent 20-MHz channels bonded together. The radio uses the primary channel that you choose from the Assignment Method drop-down list as well as its extension channel for faster throughput. Each channel has only one extension channel (36 and 40 are a pair, 44 and 48 are a pair, and so on). For example, if you choose a primary channel of 44, the controller would use channel 48 as the extension channel. If you choose a primary channel of 48, the controller would use channel 44 as the extension channel.

• 80 MHz—Enables the radio to communicate using 80-MHz channels. This option is supported only for 802.11ac capable radios. 802.11ac channelization uses four adjacent 20-MHz channels. From the drop-down list you can select the primary channel and based on the available channel pairing, appropriate secondary 20-MHz and secondary 40-MHz extension channels can be configured for the radio.

Note To select the channel width as 80-MHz, 802.11ac support must be enabled in WIRELESS > 802.11a/n/ac > High Throughput (802.11n/ac).

Assignment Method Assignment method that you can choose:

• Global—Use this setting if you set the channel of the access point globally by the Cisco WLC.

• Custom—Use this setting if you set the channel locally. Choose a channel from the drop-down list.

Note The assignment method should be left at the global setting to enable the Cisco WLC to dynamically change the channel number based Radio Resource Management (RRM) directives.

For the Cisco 3600 Access Points with the 802.11ac module, channel and transmit power assignments are not supported in the custom mode. The 802.11ac radio inherits the channel and power assignments applied to the 802.11n radio. When the assignment mode is custom, you can configure only the channel width settings on the 802.11ac radio.



Tx Power Level Assignment

This table describes the Tx power level assignment parameters.

Configuring Tx Power Levels

The Current Tx Power Level setting controls the maximum conducted transmit power. The maximum available transmit power varies according to the configured channel, individual country regulation, and access point capability. See the product guide or data sheet at http://www.cisco.com for each specific model in order to determine the access point capability.

The Current Tx Power Level setting of 1 represents the maximum conducted power setting for the access point. Each subsequent power level (for example, 2, 3, 4, and so on) represents approximately a 50 percent (or 3 dBm) reduction in the transmit power from the previous power level.

Note The actual power reduction may vary slightly for different models of access points.

Based on the configured antenna gain, the configured channel, and the configured power level, the actual transmit power at the access point can be reduced so that the specific country regulations are not exceeded.

Note Whether you choose the Global or Custom assignment method, the actual conducted transmit power at the access point is verified so that country specific regulations are not exceeded.

Performance Profile

See the Performance Profile of 802.11a/n/ac Access Points topic.

Table 5-37 Tx Power Level Assignment Parameters


Current Tx Power Level (Display Only Field) Transmission power level of the access point. Tx Power Level indicates the maximum power.

Note The power levels and available channels are defined by the Country Code setting and are regulated on a country-by-country basis.


• Global—Use this setting if you set the transmit power of the access point globally by the Cisco WLC.

• Custom—Use this setting if the transmit power of the access point is set locally. Choose an option from the drop-down list.

Note The assignment method should be left at the global setting to enable the Cisco WLC to dynamically change the transmit power level based on the Radio Resource Management (RRM).


http://www.cisco.com


Tracking Optimization

Note If your access point is configured to operate in Monitor mode, you can enable tracking optimization on up to four channels within the 2.4 GHz band (802.11b/g radio) of an access point to enable you to focus channel scans only on those channels on which tags are usually programmed to operate (such as channels 1, 6 and 11).

This table describes the tracking optimization parameters.


Configuring 802.11ac Radio in Access PointsBeginning in Cisco WLC Release 7.5 and later, 802.11ac APs are supported by the Cisco WLC. 802.11ac, a 5 GHz-only technology, is a faster and a more scalable version of 802.11n.

Choose WIRELESS > Access Points > Radios > 802.11a/n/ac, click the blue arrow adjacent the desired 802.11ac slave radio on slot 2, and then click Configure to configure the 802.11ac slave radio.

802.11ac radio on slot 2 is a slave radio and you can configure only a few parameters specifically for this Cisco Radio. As 802.11ac is a slave radio, it inherits many properties from the main radio 802.11a/n on slot 1. The only parameters that you can configure for this radio are as follows:

• Admin Status—Interface status of the radio that can be enabled or disabled. The default is enabled. If you disable 802.11n, the 802.11ac radio is also disabled.

• Channel Width—You can choose the RF channel width as 20 MHz, 40 MHz, or 80 MHz. If you choose the channel width as 80 MHz, you must enable 802.11ac mode in the High Throughput page. To enable 802.11ac mode, choose WIRELESS > 802.11a/n/ac > High Throughput (802.11n/ac), and select the 11ac Mode check box.

The 11ac Supported field is a nonconfigurable parameter that appears for the 802.11ac slave radio on slot 2 and indicates that the radio is 802.11ac capable.

For the Cisco 3600 Access Points with the 802.11ac module, channel and transmit power assignments are not supported in the custom mode. The 802.11ac radio inherits the channel and power assignments applied to the 802.11n radio. When the assignment mode is custom, you can configure only the channel width settings on the 802.11ac radio.

Table 5-38 Tracking Optimization Parameters


Enable Tracking Optimization

Tracking optimization that you can enable or disable.

Channel 1Channel 2Channel 3Channel 4

Channels on which you want to monitor tags.

Note To eliminate a channel from monitoring tag, choose None from the channel drop-down list.



Performance Profile of 802.11a/n/ac Access PointsChoose WIRELESS > Access Points > Radios > 802.11a/n/ac or 802.11b/g/n, click the blue drop-down arrow for an AP name, choose Configure, and then click Performance Profile to navigate to the Performance Profile page.

This page shows the details of the performance profile of the selected Cisco Radio.

This table describes the 802.11 parameters.


Table 5-39 802.11 General Parameters


Interface Type Cisco Radio type: 802.11a/n/ac or 802.11b/g/n.


AP ID Access point identification number that is automatically assigned by the Cisco WLC.

Profile Parameters Globally Controlled

Globally controlled parameters that you can enable or disable. You cannot change the following parameters if the Profile Parameters Globally Controlled check box is selected.

Interference (0 to 100%) Foreign 802.11a/n or 802.11b/g/n interference threshold between 0 and 100 percent. You can globally set this setting on the 802.11a/n/ac RF Grouping and 802.11b/g/n RF Grouping pages.

Clients (1 to 75) Client threshold between 1 and 75 clients. You can globally set this setting on the 802.11a/n/ac RF Grouping and 802.11b/g/n RF Grouping pages.

Noise (-127 to 0 dBm) Noise threshold between –127 and 0 dBm. You can globally set this setting on the 802.11a/n/ac RF Grouping and 802.11b/g/n RF Grouping pages.

Coverage (3 to 50 dBm) 802.11a/n or 802.11b/g/n coverage threshold between 3 and 50 dBm. You can globally set this setting on the 802.11a/n/ac RF Grouping and 802.11b/g/n RF Grouping pages.

Utilization (0 to 100%) 802.11a/n or 802.11b/g/n RF utilization threshold between 0 and 100 percent. You can globally set this setting on the 802.11a/n/ac RF Grouping and 802.11b/g/n RF Grouping pages.

Coverage Exception Level (0 to 100%)

Coverage exception level between 0 and 100 percent. You can globally set this setting on the 802.11a/n/ac RF Grouping and 802.11b/g/n RF Grouping pages.

Data Rate (1 to 1000 Kbps)

802.11a/n or 802.11b/g/n throughput threshold between 1 Kbps and 1000 Kbps. You can globally set this setting on the 802.11a/n/ac RF Grouping and 802.11b/g/n RF Grouping pages.

Client Min Exception Level (1 to 75)

Client minimum exception level. You can globally set this setting on the 802.11a/n/ac RF Grouping and 802.11b/g/n RF Grouping pages.



802.11a/n/ac AP Interfaces DetailsChoose WIRELESS > Access Points > Radios > 802.11a/n/ac, click the blue arrow adjacent the desired access point and choose Detail to navigate to the Details page.

This page primarily lists the read-only attributes of the selected Cisco Radio.

AP Details

Note The Monitor Mode parameter is not displayed for ODM access points.

This table describes the AP details.

Station Configuration Parameters

The following parameters are not displayed for Cisco OEAP 600 Series access points:

• CFP Period

• CFP Max Duration

This table describes the station configuration parameters.

Table 5-40 AP Details Parameters


Interface Type Cisco Radio type 802.11a/n/ac.


AP ID Identification number assigned when the access point is configured.

Admin Status Interface status either enabled or disabled.

Operational Status Cisco Radio operational status. The value is UP or DOWN.

11n Supported Support of 11n. The value is Yes or No.

11ac Supported Support of 802.11ac. The value is Yes or No.

Monitor Mode Access point monitor mode: Local (normal operation), Cisco 1030 remote edge lightweight access point (Cisco 1030 IEEE 802.11a/b/g remote edge lightweight access point), or Monitor (monitor-only mode).

Location User-definable location.

Table 5-41 Station Configuration Parameters


Configuration Type Configuration type of Automatic or Custom.

Number of WLANs Number of WLANs. 1 (one) is the default.

Medium Occupancy Limit

Maximum amount of time, in TU, that a point coordinator may control the usage of the wireless medium without relinquishing control for long enough to allow at least one instance of DCF access to the medium. The default value is 100, and the maximum value is 1000.



Operation Rate Set

This table describes the operation rate parameters.

MAC Operation Parameters

This table describes the MAC operation parameters.

CFP Period DTIM intervals between the start of CFPs. It is modified by MLME-START.request primitive.

CFP Max Duration Maximum duration of the CFP in TU that may be generated by the PCF. It is modified by MLME-START.request primitive.

BSSID MAC address of the access point.

Beacon Period Rate at which the SSID is broadcast by the access point, from 100 to 600 milliseconds.

Country String Country in which the station is operating. The first two octets of this string are the two-character country code.



Table 5-42 Operation Rate Set Parameters

Parameter Range

6000 Kilo Bits Mandatory, Supported, or Disabled.








Note The data rates set here are negotiated between the client and the Cisco WLC. If the data rate is set to Mandatory, the client must support it in order to use the network.

If a data rate is set as supported by the Cisco WLC, any associated client that also supports that same rate may communicate with the access point using that rate. It is not required that a client be able to use all the rates marked Supported in order to associate. Each data rate can also be set to Disabled to match client settings.



Tx Power

The following parameters are not displayed for Cisco OEAP 600 Series access points:

• Supported Power Levels

• Tx Power Configuration

• Current Tx Power Configuration Level

This table describes the Tx power parameters.

Table 5-43 MAC Operation Parameters


Configuration Type Configuration type. Valid values are automatic or custom.

RTS Threshold Attribute that indicates the number of octets in an MPDU, below which an RTS/CTS handshake is be performed. An RTS/CTS handshake shall be performed at the beginning of any frame exchange sequence where the MPDU is of type Data or Management, the MPDU has an individual address in the Address1 field, and the length of the MPDU is greater than this threshold. Setting this attribute to be larger than the maximum MSDU size turns off the RTS/CTS handshake for Data or Management type frames transmitted by this STA. Setting this attribute to zero turns on the RTS/CTS handshake for all frames of Data or Management type transmitted by this STA. The default value is 2347.

Short Retry Limit Maximum number of transmission attempts of a frame, the length of which is less than or equal to dot11RTSThreshold, that is be made before a failure condition is indicated. The default value is 7.

Long Retry Limit Maximum number of transmission attempts of a frame, the length of which is greater than dot11RTSThreshold, that shall be made before a failure condition is indicated. The default value is 4.

Fragmentation Threshold Current maximum size, in octets, of the MPDU that may be delivered to the PHY. An MSDU is broken into fragments if its size exceeds the value of this attribute after adding MAC headers and trailers. An MSDU or MMPDU is fragmented when the resulting frame has an individual address in the Address1 field, and the length of the frame is larger than this threshold. The default value for this attribute is the lesser of 2346 or the aMPDUMaxLength of the attached PHY and shall never exceed the lesser of 2346 or the aMPDUMaxLength of the attached PHY. The value of this attribute is never less than 256.

Max. Tx MSDU Lifetime Elapsed time in TU, after the initial transmission of an MSDU, after which further attempts to transmit the MSDU is terminated. The default value is 512.

Max. Rx Life Time Elapsed time in TU, after the initial reception of a fragmented MMPDU or MSDU. Further attempts to reassemble the MMPDU or MSDU are terminated. The default value is 512.



Physical Channel Parameters

The following parameters are not displayed for the ODM access point:

• Configuration

• Current CCA Mode

• ED/TI Threshold

This table describes the physical channel parameters.

RF Recommendation Parameters

This table describes the RF recommendation parameters.

Table 5-44 Tx Power Parameters


# Supported Power Levels Eight or fewer power levels, depending on operator preference.

Tx Power Level 1 Maximum power level that exists across all of the data rates (AP1505 or AP1510 only).

Tx Power Level 2 Tx Power Level 1 minus 3 dBm (AP1505 or AP1510 only).

Tx Power Configuration Globally controlled or customized for this access point.

Current Tx Power Level Operating transmit power level from the transmit power table.

Table 5-45 Physical Channel Parameters


Current Channel Current operating frequency channel.

Configuration Locally customized or globally controlled.

Current CCA Mode CCA method in operation. Valid values are as follows:

• Energy detect only (edonly) = 01

• Carrier sense only (csonly) = 02

• Carrier sense and energy detect (edandcs) = 04

• Carrier sense with timer (cswithtimer) = 08

• High rate carrier sense and energy detect (hrcsanded) = 16

ED/TI Threshold Energy Detect and Threshold that is used to detect a busy medium (frequency). CCA reports a busy medium upon detecting the RSSI above this threshold.


Chapter 5 Wireless Tab 802.11b/g/n Radios

802.11b/g/n RadiosChoose WIRELESS > Access Points > Radios > 802.11b/g/n or MONITOR > Summary and click Detail in the 802.11b/g/n Radios row under the Access Point Summary section to navigate to the 802.11b/g/n Radios page.

This page displays an overview of your 802.11b/802.11g Cisco Radio network. The status of each 802.11b/g Cisco Radio configured on this Cisco WLC and its profile is detailed in the following table.

• To configure the identified Cisco Radio, click the blue arrow adjacent the desired radio and choose Configure (Configuring 802.11b/g/n Radios).

• To view details about the identified Cisco Radio, click the blue arrow adjacent the desired radio and choose Details (802.11b/g/n AP Interfaces Details).

Search AP Filter


You can create a filter to display the list of access points by MAC addresses or AP names. The current filter parameters are displayed in the Current Filter field.

• MAC Address—MAC address text box.

• AP Name—Access point name text box.


Table 5-46 RF Recommendation Parameters


Channel 802.11a/n Low Band, Medium Band, and High Band.

802.11b/g/n.

Tx Power Level 0 if Radio Resource Management (RRM) is disabled.

1 - 5 if Radio Resource Management (RRM) is enabled.

RTS/CTS Threshold 0 if Radio Resource Management (RRM) is disabled,


Refer to RTS Threshold in MAC Operation Parameters above.

Fragmentation Threshold

0 if Radio Resource Management (RRM) is disabled, or as Radio Resource Management (RRM) recommends.

Antenna Pattern 0 if Radio Resource Management (RRM) is disabled, or as Radio Resource Management (RRM) recommends.

Enhanced Local Mode (ELM) Parameters

Promiscuous Mode Dwelling

Percentage of time that the access point spent in promiscuous mode. From Release 7.4 and later releases, the ELM can be in promiscuous mode for data frames too.

This field appears only if the access point is in ELM mode.



Note When you enable filtering by the MAC address, the other filters are disabled. However, you can use a combination of the AP Name and CleanAir Oper Status to filter access points.

Click Find to commit your changes. Only the access points that match your search criteria appear on the 802.11b/g/n Radios page, and the Current Filter parameter at the top of the page specifies the filter used to generate the list (for example, MAC address:00:1e:f7:75:0a:a0 or AP Name:pmsk-ap).


802.11b/g/n Radio SummaryThis table describes the 802.11 b/g/n radio summary parameters.

Table 5-47 802.11 b/g/n Radio Summary Parameters




Base Radio MAC Media Access Control address of the 802.11b/g/n radio.

Admin Status Interface status of the access point on this radio. The values are enabled or disabled.

Operational Status Cisco Radio operational status. The values are UP or DOWN.

Channel Channel number of the access point.






Configuring 802.11b/g/n RadiosChoose WIRELESS > Access Points > Radios > 802.11b/g/n, and then click the blue arrow adjacent the desired access point and choose Configure to navigate to the Configure page.

This page enables you to configure parameters specifically for this Cisco Radio including antenna type, RF channel, and Tx power level assignments. The performance profile for this Cisco Radio is also accessed through this page.



• UP—The spectrum sensor for the access point radio is currently operational (error code 0).

• DOWN—The spectrum sensor for the access point radio is currently not operational because an error has occurred. The most likely reason for the error is that the access point radio is disabled (error code 8). To correct this error, enable the radio.


• N/A—This access point radio cannot support CleanAir functionality. Currently, only Cisco Aironet 3500 series access point radios can be configured for Cisco CleanAir.

Note You can create a filter to make the 802.11a/n Radios page or the 802.11b/g/n Radios page show only access point radios that have a specific CleanAir status (such as UP, DOWN, ERROR, or N/A). This feature is especially useful if your list of access point radios spans multiple pages, preventing you from viewing them all at once. To create a filter, click Change Filter to open the Search AP page, select one or more of the CleanAir Status check boxes, and click Find. Only the access point radios that match your search criteria appear on the 802.11a/n Radios page or the 802.11b/g/n Radios page, and the Current Filter parameter at the top of the page specifies the filter used to generate the list (for example, CleanAir Status: UP).

Power Level Transmit power level of the access point where

• 1 = Maximum power allowed per Country Code setting

• 2 = 50% power

• 3 = 25% power

• 4 = 6.25 to 12.5% power

• 5 = 0.195 to 6.25% power.



Table 5-47 802.11 b/g/n Radio Summary Parameters




General

This table describes the 802.11b/g/n parameters.

11n Parameters

This table describes the 802.11n parameters.

Clean Air


This table describes the CleanAir parameters.

Antenna Parameters

This table describes the antenna parameters.




Admin Status Administration interface status. The default is enabled.


Slot # Slot where this radio is installed.

Table 5-49 11n Parameters


11n Supported Indicates whether 11n is supported or not.



CleanAir Capable Indicates whether the access point is CleanAir capable.

CleanAir Admin Status Administration status of the spectrum sensor for the access point that you can enable or disable. Set this field to Enable or Disable from the drop-down list.



Sniffer Channel Assignment


This table describes the sniffer channel assignment parameters.



Antenna Type Internal or External.

Antenna

(Displayed if 11n is supported)

Internal or external antennae:

• A—Right antenna port

• B—Left antenna port

• C—Center antenna port

For example, to enable transmissions from antennae ports A and B and receptions from antenna port C, you should select the following check boxes: Tx: A and B and Rx: C.

Diversity

(Displayed if 11n is not supported)

Select one of the following:

For internal antennas:

• Enable—Enables diversity on both Side A and Side B.

• Side A—Enables diversity for the front (door) antenna.

• Side B—Enable diversity for the rear antenna.

For external antennas:

• Enable—Enables diversity on both the connectors.

• Right—Enables diversity for the Right (Connector B) antenna.

• Left—Enables diversity for the Left (Connector A) antenna.

Antenna Gain Actual—Cannot be set.

Table 5-52 Sniffer Channel Assignment Parameters


Sniff Sniffer operation that you can enable or disable.

When enabled, the access point begins capturing and forwarding all the packets from the client on a specific channel to a remote machine that runs Airopeek or Wireshark (packet analyzers for IEEE 802.11 wireless LANs). The default value is disabled (or unselected).

Channel Channel on which the access points sniffs for packets. The default value is 1.

Server IP Address IP address of the remote machine running Airopeek or Wireshark.



RF Channel Assignment

This table describes the RF channel assignment parameters.


This table describes the Tx power level parameters.

Table 5-53 RF Channel Assignment Parameters


Current Channel Channel number of the access point.


Current Width RF channel Assignment Method and TX power level Assignment Method that you set to Custom, and choose the channel width.

• 20 MHz—Enables the radio to communicate using only 20-MHz channels. Choose this option for legacy 802.11a radios, 20-MHz 802.11n radios, or 40-MHz 802.11n radios that you want to operate using only 20-MHz channels. This is the default value.


• Global—Use this setting if your access point’s channel is set globally by the Cisco WLC.

• Custom—Use this setting if you set the channel locally.

Note The assignment method should normally be left at the global setting to enable the Cisco WLC to dynamically change the channel number based Radio Resource Management (RRM) directives.



Current Tx Power Level Transmit power level of the access point. Tx Power Level indicates the maximum power.



• Global—Use this setting if your access point’s transmit power is set globally by the Cisco WLC.

• Custom—Use this setting if your access point’s transmit power is set locally. Choose an option from the drop-down list.

Note The assignment method should be left at the global setting to enable the Cisco WLC to dynamically change the transmit power level based on the Radio Resource Management (RRM).



Configuring Tx Power Levels

The Current Tx Power Level setting controls the maximum conducted transmit power. The maximum available transmit power varies according to the configured channel, individual country regulation, and access point capability. See the product guide or data sheet at http://www.cisco.comfor each specific model in order to determine the access point capability.

The Current Tx Power Level setting of 1 represents the maximum conducted power setting for the access point. Each subsequent power level (for example, 2, 3, 4, and so on) represents approximately a 50-percent (or 3 dBm) reduction in the transmit power from the previous power level.

Note The actual power reduction may vary slightly for different models of access points.

Based on the configured antenna gain, the configured channel, and the configured power level, the actual transmit power at the access point can be reduced so that the specific country regulations are not exceeded.

Note Whether you choose the Global or Custom assignment method, the actual conducted transmit power at the access point is verified so that country specific regulations are not exceeded.

Performance Profile

See the Performance Profile of 802.11a/n/ac Access Points page.

Tracking Optimization

Note If your access point is configured to operate in Monitor mode, you can enable tracking optimization on up to four channels within the 2.4 GHz band (802.11b/g radio) of an access point to enable you to focus channel scans only on those channels on which tags are usually programmed to operate (such as channels 1, 6 and 11).

This table describes the tracking optimization parameters.


Table 5-55 Tracking Optimization Parameters


Enable Tracking Optimization

Tracking optimization.

Channel 1Channel 2Channel 3Channel 4

Channels on which you want to monitor tags.

Note To eliminate a channel from monitoring tags, choose None from the channel drop-down list.


http://www.cisco.com


802.11b/g/n AP Interfaces DetailsChoose WIRELESS > Access Points > Radios > 802.11b/g/n and then click Detail to navigate to the Details page.

This page lists primarily read-only attributes of the selected Cisco Radio.

AP Details

This table describes the AP details.

Station Configuration Parameters

This table describes the station configuration parameters.



Interface Type Cisco Radio type as 802.11b/g/n.



Admin Status Interface status that you can enable or disable.


11n Supported Support of 11n.

Monitor Mode Access point Monitor mode: Local (normal operation), Cisco 1030 remote edge lightweight access point (Cisco 1030 IEEE 802.11a/b/g remote edge lightweight access point), or Monitor (monitor-only mode).




Configuration Type Configuration type of automatic or custom.

Number of WLANs Number of WLANs. 1 (one) is the default.

Medium Occupancy Limit

Maximum amount of time, in TU, that a point coordinator may control the usage of the wireless medium without relinquishing control long enough to allow at least one instance of DCF access to the medium. The default value is 100, and the maximum value is 1000.

CFP Period Number of DTIM intervals between the start of CFPs. It is modified by MLME-START.request primitive.

CFP Max Duration Maximum duration of the CFP in TU that may be generated by the PCF. It is modified by MLME-START.request primitive.

BSSID MAC address of the access point.



Operation Rate Set

This table describes the operation rate set parameters.

The data rates set are negotiated between the client and the controller. If the data rate is set to Mandatory, the client must support it in order to use the network.

If a data rate is set as Supported by the controller, any associated client that also supports that same rate may communicate with the Cisco Aironet 1000 Series IEEE 802.11a/b/g lightweight access point using that rate. It is not required that a client be able to use all the rates marked Supported in order to associate. Each data rate can also be set to Disabled to match Client settings.

MAC Operation Parameters

This table describes the MAC operation parameters.

Beacon Period Rate at which the SSID is broadcast by the access point, from 100 to 600 milliseconds.

Country String Country in which the station is operating. The first two octets of this string are the two-character country code.



Table 5-58 Operation Rate Set Parameters

Parameter Band Range

1000 Kilo Bits 802.11b or 802.11g. Mandatory, Supported, or Disabled.




6000 Kilo Bits 802.11b or 802.11g. Supported or Disabled.










This table describes the Tx power parameters.

Physical Channel Parameters

This table describes the physical channel parameters.

Table 5-59 MAC Operation Parameters


Configuration Type Configuration type of automatic or custom.

RTS Threshold Attribute that indicates the number of octets in an MPDU, below which an RTS/CTS handshake is not performed. An RTS/CTS handshake is performed at the beginning of any frame exchange sequence where the MPDU is of type Data or Management, the MPDU has an individual address in the Address1 field, and the length of the MPDU is greater than this threshold. Setting this attribute to be larger than the maximum MSDU size turns off the RTS/CTS handshake for Data or Management type frames transmitted by this STA. Setting this attribute to zero turns on the RTS/CTS handshake for all frames of Data or Management type transmitted by this STA. The default is 2347.

Short Retry Limit Maximum number of transmission attempts of a frame, the length of which is less than or equal to dot11RTSThreshold, that is made before a failure condition is indicated. The default is 7.

Long Retry Limit Maximum number of transmission attempts of a frame, the length of which is greater than dot11RTSThreshold, that is made before a failure condition is indicated. The default is 4.

Fragmentation Threshold Current maximum size, in octets, of the MPDU that may be delivered to the PHY. An MSDU is broken into fragments if its size exceeds the value of this attribute after adding MAC headers and trailers. An MSDU or MMPDU is fragmented when the resulting frame has an individual address in the Address1 field, and the length of the frame is larger than this threshold. The default value for this attribute is the lesser of 2346 or the aMPDUMaxLength of the attached PHY and will never exceed the lesser of 2346 or the aMPDUMaxLength of the attached PHY. The value of this attribute is never be less than 256.

Max. Tx MSDU Lifetime Elapsed time in TU, after the initial transmission of an MSDU, after which further attempts to transmit the MSDU is terminated. The default value is 512.

Max Rx Life Time Elapsed time in TU, after the initial reception of a fragmented MMPDU or MSDU. Further attempts to reassemble the MMPDU or MSDU are terminated. The default is 512.

Table 5-60 Tx Power Parameters


# Supported Power Levels Eight or fewer power levels, depending on operator preference.

Tx Power Configuration Globally controlled or Customized for this access point.

Current Tx Power Level Operating transmit power level from the transmit power table.



RF Recommendation Parameters

This table describes the RF recommendation parameters.

Enhanced Local Mode (ELM) Parameters

This table describes the ELM parameters.

Table 5-61 Physical Channel Parameters


Current Channel Current operating frequency channel.

Configuration Locally customized or globally controlled.

Current CCA Mode CCA method in operation. Valid values are as follows:

• Energy detect only (edonly) = 01

• Carrier sense only (csonly) = 02

• Carrier sense and energy detect (edandcs) = 04

• Carrier sense with timer (cswithtimer) = 08

High rate carrier sense and energy detect (hrcsanded) =16.

ED/TI Threshold Energy Detect and Threshold that is used to detect a busy medium (frequency). CCA reports a busy medium upon detecting the RSSI above this threshold.

Table 5-62 RF Recommendation Parameters


Channel 802.11a/n Low Band, Medium Band, and High Band.

802.11b/g/n

Tx Power Level 0 if Radio Resource Management (RRM) is disabled.

1- 5 if Radio Resource Management (RRM)is enabled.

RTS/CTS Threshold 0 if Radio Resource Management (RRM) is disabled.


See Threshold in MAC Operation Parameters above.

Fragmentation Threshold

0 if Radio Resource Management (RRM) is disabled, or as Radio Resource Management (RRM) recommends.

Antenna Pattern 0 if Radio Resource Management (RRM) is disabled, or as Radio Resource Management (RRM) recommends.


Chapter 5 Wireless Tab Dual-Band Radios

CleanAir Parameters


Persistent Devices


This table describes the persistent device parameters.

Dual-Band RadiosChoose WIRELESS > Access Points > Radios > Dual-Band Radios or MONITOR > Summary and click Detail in the Dual-Band Radios row under the Access Point Summary section to navigate to this page.

This page displays an overview of your 802.11a/b/g Cisco Radio network. The status of each 802.11a/b/g Cisco Radio configured on this Cisco WLC and its profile is detailed in the following table.

• To configure the identified Cisco Radio, click the blue arrow adjacent the desired access point and choose Configure (Configuring Dual-Band Radios).

• To view details about the identified Cisco Radio, click the blue arrow adjacent the desired access point and choose Details (Dual-Band Radios Details).

Table 5-63 ELM Parameters


Promiscuous Mode Dwelling

Percentage of time that the access point spent in promiscuous mode. Beginning in controller Release 7.4 and later, the ELM can be in promiscuous mode for data frames too.

This field appears only if the access point is in the Local mode or the Flexconnect mode, and the submode is WIPS.

Table 5-64 Persistent Device Parameters


Class Type Class type of the persistent device.

Channel Channel that the device is affecting.

DC (%) Duty cycle (in percentage) of the persistent device.

RSSI(dBm) Received Strength Signal Indicator of the persistent device.

Last Seen Time Timestamp when the device was last active.



Search AP Filter


You can create a filter to display the list of access points by MAC addresses or AP names. The current filter parameters are displayed in the Current Filter field.

• MAC Address—MAC address text box.

• AP Name—Access point name text box.


Note When you enable filtering by the MAC address, the other filters are disabled. However, you can use a combination of the AP Name and CleanAir Oper Status to filter access points.

Click Find to commit your changes. Only the access points that match your search criteria appear on the Dual-Band Radios page, and the Current Filter parameter at the top of the page specifies the filter used to generate the list (for example, MAC address:00:1e:f7:75:0a:a0 or AP Name:pmsk-ap).


Dual-Band Radios Summary

This table describes the dual-band radios parameters.

Table 5-65 Dual-Band Radios Summary Parameters




Base Radio MAC Media Access Control address of the 802.11b/g/n radio.

Admin Status Interface status of the access point on this radio. The values are enabled or disabled.

Operational Status Cisco Radio operational status. The values are UP or DOWN.





Configuring Dual-Band RadiosChoose WIRELESS > Access Points > Radios > Dual-Band Radios, and click the blue arrow adjacent the desired access point and choose Configure to navigate to the Configure page.

This page enables you to configure parameters specifically for this Cisco Radio including antenna type, RF channel, and Tx power level assignments. The performance profile for this Cisco Radio is also accessed through this page.

General

This table describes the dual-band radios general parameters.



• UP—The spectrum sensor for the access point radio is currently operational (error code 0).

• DOWN—The spectrum sensor for the access point radio is currently not operational because an error has occurred. The most likely reason for the error is that the access point radio is disabled (error code 8). To correct this error, enable the radio.


• N/A—This access point radio cannot support CleanAir functionality. Currently, only Cisco Aironet 3500 series access point radios can be configured for Cisco CleanAir.

Note You can create a filter to make the Dual-Band Radios page show only access point radios that have a specific CleanAir status (such as UP, DOWN, ERROR, or N/A). This feature is especially useful if your list of access point radios spans multiple pages, preventing you from viewing them all at once. To create a filter, click Change Filter to open the Search AP page, select one or more of the CleanAir Status check boxes, and click Find. Only the access point radios that match your search criteria appear on the Dual-Band Radios page, and the Current Filter parameter at the top of the page specifies the filter used to generate the list (for example, CleanAir Status: UP).


Table 5-65 Dual-Band Radios Summary Parameters





Admin Status Administration interface status. The default is enabled.



11n and 11ac Parameters

This table describes the 802.11n and 802.11ac parameters.

Clean Air


This table describes the CleanAir parameters.

Dual-Band Radios DetailsChoose WIRELESS > Access Points > Radios > Dual-Band Radios and then click Detail to navigate to the Dual-Band Radios page.

This page lists primarily read-only attributes of the selected Cisco Radio.

AP Details



Slot # Slot where this radio is installed.



Table 5-67 11n and 11ac Parameters


11n Supported Whether 11n is supported or not.

11ac Supported Whether 11ac is supported or not.



CleanAir Capable Whether the access point is CleanAir capable.

CleanAir Admin Status CleanAir Administration status of the spectrum sensor for the access point that you can enable or disable. You can set this field to the following options:

• Enable—Enables CleanAir for both 2.4-GHz and 5-GHz radios.

• Disable—Disables CleanAir for both 2.4-GHz and 5-GHz radios.

• 2.4-GHz—Enables CleanAir only for 2.4-GHz radio.

• 5-GHz—Enables CleanAir only for 5-GHz radio.


Chapter 5 Wireless Tab Global Configuration

CleanAir Parameters


Global ConfigurationChoose WIRELESS > Access Points > Global Configuration to navigate to the Global Configuration page. This page enables you to configure the following parameters:

GeneralLED State—Check box and drop-down list to enable or disable the LED state of the access points. When you have many APs deployed and want to locate a specific AP, you can disable the LED state of all APs and then enable the LED state of the AP you are looking for. Thus, the AP that has its LED state enabled is easily identifiable.

Cisco Discovery ProtocolThe Cisco Discovery Protocol (CDP) is used between the network devices to discover properties of the other end of an interface and the device. When CDP is enabled on an interface, the device sends its properties and interface information to the device at the other end of the interface. The controller has an option to enable or disable CDP on all or a specific access point. This configuration is applied to the global CDP state on the access point.

Note CDP over radio interface is applicable only for mesh APs.

This table describes the CDP parameters.



Interface Type Cisco Radio type as 802.11a/b/g/n.



Admin Status Interface status that you can enable or disable.


11n Supported Support of 11n.

Monitor Mode Access point Monitor mode: Local (normal operation), Cisco 1030 remote edge lightweight access point (Cisco 1030 IEEE 802.11a/b/g remote edge lightweight access point), or Monitor (monitor-only mode).




Login CredentialsCisco IOS access points are shipped from the factory with “Cisco” as the default enable password. This password allows users to log in to the unprivileged mode and execute show and debug commands, which poses a security threat. The default enable password must be changed to prevent unauthorized access and to enable users to execute configuration commands from the access point’s console port.

Note You must keep careful track of the credentials used by the access points. Otherwise, you might not be able to log in to an access point’s console port. If you need to return the access points to the default Cisco/Cisco username and password, you must clear the controller’s configuration and the access point’s configuration to return them to the default settings. To clear the controller’s configuration, choose Commands > Reset to Factory Default > Reset on the controller GUI, or enter the clear config command on the controller CLI. To clear the access point’s configuration, enter the clear ap config command Cisco_AP on the controller CLI. After the access point rejoins a controller, it adopts the default Cisco/Cisco username and password.

You can set a global username, password, and enable password that all access points inherit as they join the controller including access points that are currently joined to the controller and any that join in the future. You can override the global credentials and assign a unique username, password, and enable password for a specific access point. The following are requirements enforced on the password:

• The password should contain characters from at least three of the following classes: lowercase letters, uppercase letters, digits, and special characters.

• No character in the password can be repeated more than three times consecutively.

• The password should not contain the management username or the reverse of the username.

• The password should not contain words like Cisco, oscic, admin, nimda or any variant obtained by changing the capitalization of letters by substituting 1, |, or ! or substituting 0 for o, or substituting $ for s.

This table describes the login credentials parameters.

Table 5-70 CDP Parameters


CDP State Global CDP that you can enable or disable on Ethernet or radio interfaces for all the access points currently associated to the controller.

Ethernet Interface# Ethernet interface number.

CDP State (ethernet interface)

CDP that you can enable or disable for all or specific Ethernet interfaces on all or specific access points.

Note Global CDP for the particular access points should be enabled before enabling or disabling the CDP state.


CDP State (radio slot) CDP that you can enable or disable for all or specific radio interfaces on all or specific access points.



Note You can override the global credentials for a specific access point and assign a unique username, password, and enable password to this access point by selecting the Over-ride Global credentials check box on the Credentials tab on the All APs Details page.

802.1X Supplicant CredentialsYou can configure 8021.1X authentication between lightweight access points and the switch. The access point acts as an 802.1X supplicant and is authenticated by the switch using EAP-FAST with anonymous PAC provisioning.

You can set global authentication settings that all access points inherit as they join the controller, which includes all access points that are currently joined to the controller and any that join in the future. If desired, you can override the global authentication settings and assign unique authentication settings for a specific access point.

This table describes the 802.1X supplicant credentials parameters.

.

Note You can override the global authentication settings for a specific access point and assign a unique username and password to this access point by selecting the Over-ride Global credentials check box on the Credentials tab on the All APs Details page.

Table 5-71 Login Credentials Parameters


Username Username that is to be inherited by all access points that join the controller.

Password Password that is to be inherited by all access points that join the controller.

Enable Password Enable password that is to be inherited by all access points that join the controller.



802.1X Authentication Username, Password, and Confirm Password fields.

Username Username that is to be inherited by all access points that join the controller.

Password Password that is to be inherited by all access points that join the controller.

Confirm Password Confirmed password that is to be inherited by all access points that join the controller.



AP Failover PriorityYou can configure high-priority access points so that the backup controller recognizes and accepts those access points first, even if it means disassociating a lower-ranked device as a means to provide an available port.

• Global AP Failover Priority—Access point priority assignments.

You can assign priorities to the access points on the High Availability tab on the All APs Details page. By default, all access points are set to priority level 1, which is the lowest priority level. Therefore, you need to assign a priority level only to those access points that warrant a higher priority.

AP Image PredownloadYou can predownload images for all access points that are associated to your controller on the network.

This table describes the AP image predownload parameters.

High AvailabilityYou can configure primary and secondary backup controllers for all access points (which are used if primary, secondary, or tertiary controllers are not responsive) in this order: primary, secondary, tertiary, primary backup, and secondary backup. In addition, you can configure various timers, including heartbeat timers and discovery request timers. To reduce the controller failure detection time, you can configure the fast heartbeat interval (between the controller and the access point) with a smaller timeout value. When the fast heartbeat timer expires (at every heartbeat interval), the access point determines if any data packets have been received from the controller within the last interval. If no packets have been received, the access point sends a fast echo request to the controller.

Note You can configure the fast heartbeat timer only for access points in local and FlexConnect modes.

• AP Heartbeat Timeout—AP Heartbeat timeout value that you can enter. The valid range is 10 to 30 for the Cisco 7500 Series Controller and 1 to 30 for other platforms.

• Local Mode AP Fast Heartbeat Timer State—Fast heartbeat timer that you can enable or disable for access points in local mode. The default is disable.

• Local Mode AP Fast Heartbeat Timeout—If you enabled Local Mode AP Fast Heartbeat Timer, enter the timeout interval for this parameter. Specifying a small heartbeat interval reduces the amount of time it takes to detect a controller failure. The range for the AP Fast Heartbeat Timeout

Table 5-73 AP Image Predownload Parameters


Download Primary Instruct all access points to download a primary image from the controller.

Download Backup Instruct all access points to download an image from the controller and store it as a backup.

Interchange Image Instruct all access points to swap their primary and backup images.



value for Cisco Flex 7500 Controllers is 10–15 (inclusive) and is 1–10 (inclusive) for other controllers. The default value for the heartbeat timeout for Cisco Flex 7500 Controllers is 10. The default value for other controllers is 1 second.

• FlexConnect Mode AP Fast Heartbeat Timer State—Fast heartbeat timer for FlexConnect access points that you can enable or disable. The default is disable.

• FlexConnect Mode AP Fast Heartbeat Timeout—If you enabled the FlexConnect mode AP fast heartbeat timer, enter the interval (in seconds) for the fast heartbeat timer for FlexConnect access points. Specifying a small heartbeat interval reduces the amount of time it takes to detect a controller failure. The range for the FlexConnect Mode AP Fast Heartbeat Timeout value for Cisco Flex 7500 Controllers is 10–15 (inclusive) and is 1–10 for other controllers. The default value for the heartbeat timeout for Cisco Flex 7500 Controllers is 10. The default value for other controllers is 1 second.

• AP Primary Discovery Timeout—Timeout that you can set. Enter a number between 30 and 3600 seconds (inclusive) to configure the access point primary discovery request timer. The default value is 120 seconds.

• Back-up Primary Controller IP Address—IPv4/IPv6 address of the primary backup controller. From Release 8.0, controller supports IPv6.

Note The default for the IP address is 0.0.0.0, which disables the primary backup controller.

• Back-up Primary Controller Name—Name of the primary backup controller.

• Back-up Secondary Controller IP Address—IP4/IPv6 address of the secondary backup controller. From Release 8.0, controller supports IPv6.

Note The default value for the IP address is 0.0.0.0, which disables the secondary backup controller.

• Back-up Secondary Controller Name—Name of the secondary backup controller.

TCP MSSIf the client’s maximum segment size (MSS) in a Transmission Control Protocol (TCP) three-way handshake is greater than the maximum transmission unit can handle, the client might experience reduced throughput and the fragmentation of packets. To avoid this problem in controller software release 6.0 or later releases, you can specify the MSS for all access points that are joined to the controller or for a specific access point.

When you enable this feature, the access point selects the MSS for TCP packets to and from wireless clients in its data path. If the MSS of these packets is greater than the value that you configured or greater than the default value for the CAPWAP tunnel, the access point changes the MSS to the new configured value.

• Global TCP Adjust MSS—Enable the check box and set the MSS for all access points that are associated with the controller.

From Release 8.0, the controller supports IPv6. Use the following Global TCP Adjust MSS values for:

– IPv4—Specify a value between 536 and 1363.

– IPv6—Specify a value between 1220 and 1331.



Note Any TCP MSS value that is below 1220 and above 1331 will not be effective for CAPWAP v6 AP.

AP Retransmit Config ParametersWhen a controller goes out of service, the access point associated with it falls back to the next available controller. Before associating itself to a new controller, the access point first tries to establish a connection with the existing controller that it is associated with. It does so by sending a request (known as a retransmission) at regular intervals to the controller and for a specified number of times (retry count). If the access point does not get an acknowledgement from the controller, it tries to associate itself to the next available controller.

Note Retransmission intervals and retry counts are not applicable for mesh access points.

You can configure the retransmission intervals and retry counts both at a global as well as a specific access point level. A global configuration applies these configuration parameters to all the access points. That is, the retransmission interval and the retry count would be uniform for all access points. Alternatively, when you configure the retransmission level and retry counts at a specific access point level, the values are applied to that particular access point. Access point specific configurations have higher precedence compared to Cisco WLC global configurations.

This table describes the AP retransmit config parameters.

OEAP Config ParametersThis table describes the Cisco 600 Series OfficeExtend Access Point (OEAP) config parameters.

Table 5-74 AP Retransmit Config Parameters


AP Retransmit Count Number of times that you want the access point to retransmit the request to controller and vice-versa. Valid range is between 3 and 8.

AP Retransmit Interval Time duration between retransmission of requests. Valid range is between 2 and 5.

Table 5-75 OEAP Config Parameters


Disable Local Access Check box that you can select to disable access to the local GUI, LAN ports, and local SSID of the Cisco 600 Series OEAP.

Disable Split Tunnel Check box that you can select to disable split tunnelling for Cisco 600 Series OEAP. Selecting the checkbox disables splitting the tunnel for all WLANs and remote LANs.



Flexconnect Ethernet FallbackThis table describes the FlexConnect Ethernet Fallback parameter.

Global Telnet SSHThis table describes the Global Telnet SSH parameter.

h

Global IPv6 UDP Lite This table describes the global IPv6 UDP Lite parameters used to enable or disable an IPv6 CAPWAP UDPLite for CAPWAP AP on the Cisco Wireless LAN Controller.

h

Packet RSSI Location Config ParametersThis table describes the global Packet RSSI Location Config Parameters.

Table 5-76 FlexConnect Ethernet Fallback Parameters


Radio Interface Shutdown Check box that you can select to enable an AP radio interface or disable an AP radio interface. This is disabled by default.

When the user selects this checkbox and when AP Ethernet Link goes down, the AP radio interface shuts down.

Delay (0 to 10 Sec) Delay value, in seconds. The value range is between 0 and 10. The default is 0.

Table 5-77 Global Telnet SSH Parameters


Telnet Telnet or SSH connectivity on this access point. The default is unselected.

SSH These protocols make debugging the access point easier, especially when the access point is unable to connect to the controller.

Table 5-78 Global IPv6 UDP Lite Parameters


UDP Lite Select this check box to globally enable IPv6 UDP Lite on APs connecting to the controller using CAPWAP v6 tunnel.

Note IPv6 UDP Lite is not applicable to APs connected with CAPWAP v4 tunnel.


Chapter 5 Wireless Tab Wireless > Advanced

Wireless > Advanced

Load BalancingChoose Wireless > Advanced > Load Balancing to navigate to the Load Balancing page. This page enables you to configure load balancing on the wireless network.

Important Guidelines and Limitations

• Load balancing is configurable only on a per-WLAN basis.

• Load balancing is not supported on the Cisco OEAP 600 Series access point.

This table describes the load balancing parameters.

Table 5-79 Packet RSSI Location Config Parameters


Enable Packet RSSI Location Enabling this feature allows the location calculations to be based off of data packets as well as probe packets. This feature requires that access points with WSM modules are deployed.

Packet Detection RSSI Minimum (dBm)

This is the minimum level at which a data packet can be heard by the WSM modules for use in location calculations. The default values is –100 db.

It is recommended that this value be increased if you want to have only strong signals used in calculating locations.

Scan Count Threshold for Idle Client Detection (dBm)

The Scan Count Threshold represent the number of off-channel scan cycles the AP will wait before sending a Block Acknowledgment Request (BAR) to idle clients. The default value of 10 corresponds to approximately 40s, depending on the number of channels in the off channel scan cycle.

NTP Server This is the IPv4/IPv6 address of the NTP server that all AP that are involved in this calculation need to sync to.

It is recommended to use the same NTP server as is used by the general WLC infrastructure. The scans from multiple AP needs to be synced up for the location to be accurately calculated. An IPv4 address is required.

Note IPv6 address is not supported.



Table 5-80 Load Balancing Parameters


Client Window Size Threshold that you can set for the client window size. This parameter specifies the threshold for the difference between the number of clients that an access point can have and the client count of the access point that has a minimum number of associated clients.

For example, suppose in a network setup there are three access points connected to a controller (AP1, AP2, and AP3). AP1 has 2 clients, AP2 has 3 and AP3 has 4 clients. In this setup, AP1 has a minimum number of clients, that is, 2. If the window size is configured as 2, every AP can have 2 + 2 = 4 clients. So every 5th client is load balanced. If any client tries to join AP3, a denial response is sent from AP3. For a client, the denial message is sent based on the configured value for the maximum denial count.

The default is 5.

Maximum Denial Count Maximum denial count that you can configure. The maximum denial count specifies the maximum number of association rejections that the access point can send to a client for a given sequence of association.

When a client tries to associate on a wireless network, it sends an association request to the access point. If the access point is overloaded and load balancing is enabled on the controller, the access point sends a denial to the association request. If there are no other access points in the range of the client, the client tries to associate the same access point again.

After the maximum denial count is reached, the client is able to associate. Association attempts on an access point from any client before associating any AP is called a sequence of association.

The default is 3.

Load Balancing Statistics

Total Denial Client Count Total number of clients denied.

Total Denial Messages Sent Total number of denial messages sent.

Exceeded Denial Max Limit Count Total number of messages that exceeded the denial maximum limit count.



Band SelectChoose Wireless > Advanced > Band Select to navigate to the Band Select page. This page enables you to configure the band select parameters on the wireless network.

Note Band select is not supported on the Cisco OEAP 600 Series access point.

This table describes the band select parameters.

None 5G Candidate Count Number of times at the 5G band that there is no AP candidate to load balance off a client.

None 2.4 G Candidate Count Number of times at the 2.4G band that there is no AP candidate to load balance off a client.

Table 5-80 Load Balancing Parameters


Table 5-81 Band Select Parameters


Probe Cycle Count Probe cycle count that you can specify.

When a client cycle count is reached and if a client still sends a probe request, the access point responds to it with a probe response.

For example, we assume at a minimum that a client stays in a channel for 5 milliseconds and there are 11 channels. If the client scans channel 1 and then the other 10 channels, there should be at least a gap of 10x5 milliseconds between the last time the AP hears the client probe and the latest one. The AP only increments the count if the difference of time between the latest and the last probe is more than 50 milliseconds.

The default is 2.

Scan Cycle Period Threshold (milliseconds) Threshold for a new scanning cycle period (in milliseconds) that you can specify.

The Client cycle counter is incremented only if the client scans the same channel after any time the value is set for the scan cycle period threshold.

For example, if a client is scanning a channel after every 150 milliseconds and a cycle threshold value is configured as 200, the cycle count is incremented after 300 seconds. If the client is scanning after every 250 milliseconds, the cycle count is incremented after 250 milliseconds.

The default is 200.



Age Out Suppression (seconds) Ageout suppression (in seconds) that you can configure. This parameter specifies the ageout period after which the entry of the client is removed from the suppression table.

All entries stay in the suppression table until they are aged out or are replaced when the table is full. If the table is full, and there is no space for a new client, then the access point replaces the oldest entry on the table that had responded already. If there is no empty slot in the table, the access point has to respond to all the new clients until space is available.

The default is 20.

Table 5-81 Band Select Parameters (continued)





Preferred CallsYou can configure a controller to support calls from clients that do not support TSPEC-based calls. This is known as voice prioritization. These calls are given priority over other clients that use the voice pool. Voice prioritization is available only for SIP-based calls, not for TSPEC-based calls. If the bandwidth is available, the controller takes the normal flow and allocates the bandwidth to those calls.

Age Out Dual Band (seconds) Ageout dual band (in seconds) that you can specify.

When an access point receives a probe request from any client in both 2.4-GHz and 5-GHz bands, the access point is aware that the client is capable of operating on both bands. Dual-band capable clients are recorded in a dual-band client table.

The controller keeps a record of the clients’ capabilities to join the 2.4-GHz and 5-GHz bands. The controller ensures that 5-GHz capable clients join the 5-GHz band only. Entries in the table are aged out to make space for new entries. This parameter specifies the time duration after which the client entry is removed. The access point does not respond to the dual band client's 2.4-GHz probe until it is removed from the dual-band client table. The access point fills the dual-band table in the following order until it is full:

• Clients with a 5-GHz probe that have associated to 2.4-GHz.

• Clients with a 5-GHz probe that also have 2.4-GHz probes.

• Clients with just a 5-GHz probe detected and a 5-GHz association.

The default is 60.

Acceptable Client RSSI (dBm) Acceptable client RSSI (in dBm) that you can set. This parameter specifies the minimum client RSSI threshold.

This parameter filters out far away clients with low signal strength to limit the number of clients on the table.

The default is –80.

Table 5-81 Band Select Parameters (continued)




You can configure up to six preferred call numbers. When a call comes to one of the configured preferred numbers, the controller does not check on the maximum call limit. It invokes the CAC to allocate bandwidth for the preferred call. The bandwidth allocation is 85 percent of the entire bandwidth pool, not just from the maximum configured voice pool. The bandwidth allocation is the same even for roaming calls.

Prerequisites for Voice Prioritization

• WLAN QoS should be set to platinum.

• ACM should be enabled for the radio.

• WLAN should have SIP call snooping enabled.

Note The Cisco 5500 Series Controllers and all nonmesh access points do not support the voice prioritization.

Choose Wireless > Advanced> Preferred Calls to navigate to this page. This page enables you to configure voice prioritization parameters on the wireless network.

Click Add Number to add a preferred call number.

This table describes the preferred calls parameters.

The configured Call Index and Call Numbers are displayed.

Click Apply to add the index and the call number.

Click Cancel to return to the Preferred Calls page.

SIP SnoopingChoose WIRELESS > Advanced > SIP Snooping to navigate to the SIP Snooping page. This page enables you to configure call snooping ports on the controller. If you need only a single port for call snooping, configure the start and end port with the same number.

The port used by the CIUS tablet is 5060 and the port range used by Facetime is from 16384 to 16402.

This table describes the SIP snooping parameters.

Table 5-82 Preferred Calls Parameters


Call Index Index to assign to this call number.

Call Number Call number.

Table 5-83 SIP Snooping Parameters


Port Start Starting port for call snooping. The range is from 0 to 65535.

Port End Ending port for call snooping. The range is from 0 to 65535.



Rx SOP ThresholdReceiver Start of Packet Detection Threshold (Rx SOP) determines the Wi-Fi signal level in dBm at which an access point's radio demodulates and decodes a packet. As the Wi-Fi level increases, the radio sensitivity decreases and the receiver cell size becomes smaller. Reduction of the cell size affects the distribution of clients in the network. Rx SOP is used to address clients with weak RF links, sticky clients, and client load balancing across access points.

Choose WIRELESS > Advanced > Rx SOP Threshold to navigate to the Rx SOP Threshold page. This page enables you to configure the Rx SOP threshold values for each 802.11 band.

This table shows the Rx SOP threshold values for high, medium and low levels for each 802.11 band.

Optimized RoamingOptimized roaming resolves the problem of sticky clients that remain associated to access points that are far away and outbound clients that attempt to connect to a Wi-Fi network without having a stable connection.

This feature disassociates clients based on the RSSI of the client data packets and data rate. The client is disassociated if the RSSI alarm condition is met and the current data rate of the client is lower than the optimized roaming data rate threshold. Optimized roaming also prevents client association when the client's RSSI is low. This feature checks the RSSI of the incoming client against the RSSI threshold. You can also configure the client coverage reporting interval for a radio.

Choose WIRELESS > Advanced > Optimized Roaming to navigate to the Rx SOP Threshold page. This page enables you to enable optimized roaming on a radio and configure the parameters.

This table describes the optimized roaming parameters.

802.11 Band High Threshold Medium Threshold Low Threshold

5 GHz -76 dBm -78 dBm -80 dBm

2.4 GHz -79 dBm -82 dBm -85 dBm

Table 5-84 Optimized Roaming Parameters


Optimized Roaming Mode Check box that you can select to enable Optimized Roaming.


Chapter 5 Wireless Tab Mesh

Network ProfileChoose WIRELESS > Advanced > Network Profile to navigate to the Network Profile page.

MeshChoose WIRELESS > Mesh to navigate to the Mesh page.

This page enables you to configure the access point to establish a connection with the controller.

GeneralThis table describes the general mesh parameters.

Optimized Roaming Interval Client coverage reporting interval for 802.11a/b networks. The range is from 5 to 90 seconds. The default value is 90.

Note You must disable the 802.11a/b network before you configure the optimized roaming interval.

Optimized Roaming Data Rate Threshold Threshold data rate for 802.11a/b networks.

For 802.11a, the configurable data rates are 6, 9,12,18, 24, 36, 48, and 54.

For 802.11b, the configurable data rates are 1, 2, 5.5, 11, 6, 9,12,18, 24, 36, 48, and 54.

You can also choose the Disable option to disable the data rate for disassociating clients.

Table 5-84 Optimized Roaming Parameters


Table 5-85 Network Profile Parameters


RF Parameter Optimization Check box that you can select to enable configuration of Client Density and Traffic Type.

Client Density Options:

• Low

• Typical

• High

Traffic Type To configure RF parameters for RF traffic type such as:

• Data

• Data and Voice



Ethernet BridgingThis table describes the Ethernet bridging parameters.



Range (Root AP to Mesh AP)

Optimum distance (in feet) that should exist between the root access point and the mesh access point. This global parameter applies to all access points when they join the controller and all existing access points in the network.

Values are from 150 to 132000; the default is 12,000.

IDS (Rogue and Signature Detection)

Outdoor mesh access points that you can enable or disable. The default is disable.

Note IDS reporting is enabled for all indoor mesh access points and cannot be disabled.

When you enable this feature, IDS reports are generated for all traffic on the backhaul. These reports can be useful for university or enterprise outdoor campus areas, or for public safety users who want to find out who is operating in 4.9 GHz.

When you disable this feature, no IDS reports are generated, which preserves bandwidth on the backhaul.

Backhaul Client Access Backhaul client access that you can enable or disable. The default is disable.

When you enable this feature, 1520 series (152x) mesh access points allow wireless client association over the 802.11a radio, which implies that a 152x mesh access point can carry both backhaul traffic and 802.11a client traffic over the same 802.11a radio.

When you disable this feature, the 152x carries backhaul traffic over the 802.11a radio and allows client association only over the 802.11b/g radio.

Note After you enable this feature, all mesh access points reboot.

Mesh DCA Channels Mesh DCA channel that you can enable or disable. The default is disable.

Enable this option to enable backhaul channel deselection on the controller using the DCA channel list. Any change to the channels in the controller DCA list is pushed to the associated access points. This option is only applicable for Serial Backhaul mesh access points.

Global Public Safety Public safety band that you can enable or disable on the mesh access point.



SecurityThis table describes the security parameters.



VLAN Transparent VLAN transplant that you can enable or disable. This default is disable.

When you enable this option, VLAN tags are not handled and packets are bridged as if they are untagged.

You should disable this option if you want to enable VLAN-aware Ethernet bridging.



Table 5-88 Security Parameters


Security Mode EAP (Extensible Authentication Protocol) or PSK (Preshared Key); the default option is EAP.

Note If you enable the External MAC Filter Authorization option, you need to choose the EAP option.

Note If you do not enable the External MAC Filter Authorization option, local EAP or PSK authentication is performed within the controller.

External MAC Filter Authorization

Authorization that you can enable or disable. The default is disable.

Enable this option to allow an external RADIUS server to perform MAC filter authorization.

This option protects your network against rogue mesh access points by preventing access points that are not defined on the external server from joining.

When you enable this option and click Apply, the access points reboot and then rejoin the controller if defined in the MAC filter list. Access points that are not defined in the MAC list cannot join the controller.

Note When this option is not enabled, by default, the controller authorizes and authenticates mesh access points using the MAC address filter.

Before you employ external authentication within the mesh network, you must perform the following configuration:

• On the controller, configure the RADUIS server to be used as an AAA server.

• Configure the controller on the RADIUS server.

• Add the mesh access point configured for external authorization and authentication to the user list of the RADIUS server.

– For remote authorization and authentication, EAP-FAST uses the manufacturer’s certificate (CERT) to authenticate the child mesh access point. Additionally, this manufacturer certificate-based identity serves as the username for the mesh access point in user validation.

– For Cisco IOS-based mesh access points (1240, 1522, 1524), the platform name of the mesh access point is located in front of its Ethernet address within the certificate; therefore, the username for external RADIUS servers is platform_name_string–Ethernet_MAC_address such as c1240-001122334455.

• Install the certificates and configure EAP-FAST on the RADIUS server.


Chapter 5 Wireless Tab RF Profiles


RF ProfilesChoose WIRELESS > RF Profiles to navigate to the RF Profiles page. This page enables you to create and configure RF profiles in the controller.

Out of Box AP GroupYou can select the Enable Out Of Box check box to create an Out of Box AP group that consists of newly installed access points that belong to the default AP group. When you enable this feature:

• Newly installed access points that are part of the default AP group will be part of the Out-of-Box AP group and their radios will be switched off. This eliminates any RF instability caused by the new access points.

• All access points that do not have a group name become part of the Out of Box AP group.

• Special RF profiles are created per 802.11 band. These RF profiles have default-settings for all the existing RF parameters and additional new configurations.

When you disable this feature after you enable it, only subscription of new APs to the Out of Box AP group stops. All APs that are subscribed to the Out of Box AP Group remain in this AP group. The network administrators can move such APs to the default-group or a custom AP group upon network convergence.

Click New to create a new RF profile.

This table describes the RF profile parameters.

Force External Authentication

Force external authentication that you can enable or disable. The default is disable.

Enable this option with EAP and External MAC Filter Authorization to allow external authorization and authentication of mesh access points using a RADIUS server.

RADIUS Server

Server Index RADIUS server index. The Cisco WLC tries Index 1 first, then Index 2, and so on, in an ascending order. This value should be 1 if your network is using only one authentication server.

Click the index number to display the Updating RADIUS Authentication Servers page.


Port Communication port number for the interface protocols. The default is 1812.

Enabled RADIUS authentication server that you can enable or disable.

Table 5-88 Security Parameters




Table 5-89 RF Profile Parameters


General Parameters

Profile Name Name of the RF profile.

Radio Policy Whether the RF profile will be applied to the 802.11a or 802.11b/g radios.

Note According to the selection of the Radio Policy, the other parameters may differ.

Description Description of the RF profile.

802.11

Data Rates Data rate that is Mandatory indicates that the clients that do not support this specific rate will not be able to associate with the AP.

Data rate that is Supported indicates that any associated client that also supports this rate can communicate with the AP using this rate.

Data rate that is Disabled indicates that clients do not support this specific rate.

The following data rates are supported by 802.11a:

• 6 Mbps

• 9 Mbps

• 12 Mbps

• 18 Mbps

• 24 Mbps

• 36 Mbps

• 48 Mbps

• 54 Mbps

The following data rates are supported by 802.11b/g:

• 1 Mbps

• 2 Mbps

• 5.5 Mbps

• 6 Mbps

• 9 Mbps

• 11 Mbps

• 12 Mbps

• 18 Mbps

• 24 Mbps

• 36 Mbps

• 48 Mbps

• 54 Mbps



MCS Settings Select the check boxes of the desired rates to specify the modulation and coding scheme (MCS) rates at which data can be transmitted between the access point and the client. These data rates, which are calculated for a 20-MHz channel width using a short guard interval, are available:

• 0 (7 Mbps)

• 1 (14 Mbps)

• 2 (21 Mbps)

• 3 (29 Mbps)

• 4 (43 Mbps)

• 5 (58 Mbps)

• 6 (65 Mbps)

• 7 (72 Mbps)

• 8 (14 Mbps)

• 9 (29 Mbps)

• 10 (43 Mbps)

• 11 (58 Mbps)

• 12 (87 Mbps)

• 13 (116 Mbps)

• 14 (130 Mbps)

• 15 (144 Mbps) Any associated clients that support the selected rates may communicate with the access point using those rates. However, the clients are not required to be able to use this rate in order to associate. The MCS settings determine the number of spatial streams, the modulation, the coding rate, and the data rate values that are used.

RRM > Transmit Power Control (TPC) Parameters

Maximum Power Level Assignment

Maximum transmit power used by the RRM. The range is from –10 to 30 dBm. The default value is 30 dBm.

Minimum Power Level Assignment

Minimum transmit power used by the RRM. The range is from –10 to 30 dBm. The default value is –10 dBm.

Power Threshold v1 Transmit Power Control v1 threshold value. The range is from –80 to –50 dBm. The default value is –70 dBm.

Power Threshold is the cutoff signal level used by the RRM when determining whether to reduce an access point’s power.

Power Threshold v2 Configures the Transmit Power Control v2 threshold value. The range is from –80 to –50 dBm. The default value is –67 dBm.

RRM > Coverage Hole Detection Parameters





Data RSSI Minimum receive signal strength indication (RSSI) value for data packets received by the access point. The value that you enter is used to identify coverage holes (or areas of poor coverage) within your network. The range is from –60 to –90 dBm. The default value is –80 dBm.

If the access point receives a packet in the data queue with an RSSI value below the value that you enter, it indicates that a potential coverage hole has been detected. The access point takes data RSSI measurements every 5 seconds and reports them to the controller in 90-second intervals.

Voice RSSI Minimum receive signal strength indication (RSSI) value for voice packets received by the access point. The value that you enter is used to identify coverage holes within your network. The range is from –60 to –90 dBm. The default value is –75 dBm.

If the access point receives a packet in the voice queue with an RSSI value below the value that you enter, it indicates that a potential coverage hole has been detected. The access point takes voice RSSI measurements every 5 seconds and reports them to the controller in 90-second intervals.

Coverage Exception Minimum number of clients on an access point with an RSSI value at or below the data or voice RSSI threshold to trigger a coverage hole exception.

The range is from 1 to 75, and the default value is 3.

Coverage Level Percentage of clients on an access point that are experiencing a low signal level but cannot roam to another access point. If an access point has more number of such clients than the configured coverage level it triggers a coverage hole event.

The range is from 0 to 100%, and the default value is 25%.

The controller determines if the coverage hole can be corrected and, if appropriate, mitigates the coverage hole by increasing the transmit power level for that specific access point.

RRM > DCA

Avoid AP Foreign AP Interference

Select the Avoid Foreign AP Interference check box to cause the Cisco

WLC’s RRM algorithms to consider 802.11traffic from foreign access points (those not included in your wireless network) when assigning channels to lightweightaccess points, or unselect it to disable this feature.

Channel Width Select the required bandwidth for the AP based on the type of clients available in the RF environment.

RRM > DCA Channel List





DCA Channels The DCA Channels text box shows the channels that are currently selected. To choose a channel, select its check box in the Select column. To exclude a channel, unselect its check box.

The ranges are as follows:

• 802.11a—36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108, 112, 116, 132, 136, 140, 149, 153,157, 161, 165, 190, 196

• 802.11b/g—1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11

The defaults are as follows:

• 802.11a—36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108, 112, 116, 132, 136, 140, 149, 153,157, 161

• 802.11b/g—1, 6, 11

Extended UNII-2 channels 100, 104, 108, 112, 116,132, 136, and 140—These extended UNII-2 channels in the 802.11a band do not appear in the channel list.

If you have Cisco Aironet 1520 series mesh access points in the -E regulatory domain, you must include these channels in the DCA channel list before you start operation.

If you are upgrading from a previous release, verify that these channels are included in the DCA channel list.

To include these channels in the channel list, select the Extended UNII-2 Channels check box.

RRM > Profile Threshold For Traps

Interference (0 to 100%) Interference threshold on the RF environment.

Clients (1 to 200) Number of clients present in the RF profile for which the trap is configured.

Noise (-127 to 0 dBm) The channel noise level for trap generation.

Utilization (0 to 100 %) The channel utilization for trap generation.

High Density and Multicast Parameters

Maximum Clients Maximum number of clients that can communicate with the AP in a high-density environment. The range is from 1 to 200. The default value is 200.

Client Trap Threshold Threshold value of the number of clients that associate with an access point, after which an SNMP trap is sent to the controller and Cisco Prime Infrastructure. The range is from 0 to 200. The default value is 50.

Traps are disabled if the threshold value is configured as zero. Client trap threshold value should be less than then maximum clients configuration.





Multicast Data Rates Multicast data rate of a client with the AP.

The following multicast data rates are supported by 802.11a and 802.11b/g:

• 6 Mbps

• 9 Mbps

• 12 Mbps

• 18 Mbps

• 24 Mbps

• 36 Mbps

• 48 Mbps

• 54 Mbps

If you choose auto, the AP automatically adjusts the data rate with the client.

Rx Sop Threshold Drop-down list from which you can choose the high, medium, or low Rx SOP threshold value for a band. For more details, see Rx SOP Threshold.

Client Distribution > Load Balancing

Window The window size is part of the algorithm that determines whether an access point is too heavily loaded to accept more client associations:

load-balancing window + client associations on AP with lightest load = load-balancing threshold

The range is from 0to 20. The default value is 5.

In the group of access points accessible to a client device, each access point has a different number of client associations. The access point with the lowest number of clients has the lightest load. The client window size plus the number of clients on the access point with the lightest load forms the threshold. Access points with more client associations than this threshold is considered busy, and clients can associate only to access points with client counts lower than the threshold.

Denial The denial count sets the maximum number of association denials during load balancing. Enter a value between 1 and 10. The default value is 3.

Client Distribution > Band Select

Note Band Select configurations are available only for 802.11BG RF profiles.

Probe Response Probe responses to clients that you can enable or disable.

Cycle Count Probe cycle count for the RF profile. The cycle count sets the number of suppression cycles for a new client. The range is from 1 to 10. The default value is 2.




Chapter 5 Wireless Tab FlexConnect Groups

Note Changing the data rates and minimum client count requires explicit network dependencies. You must disable the 802.11a or 802.11b/g network before changing data rates and minimum client count in RF Profiles.

Click Apply to send the RF Profile configuration data to the Cisco WLC.

FlexConnect GroupsChoose WIRELESS > FlexConnect Groups to navigate to the FlexConnect Groups page. This page lists any FlexConnect groups that have already been created.

All the FlexConnect access points in a group share the same FlexConnect configuration information.

If you want to delete an existing group, click the blue arrow adjacent the group and choose Remove.

Cisco Centralized Key Management

FlexConnect groups are required for Cisco Centralized Key Management (CCKM) fast roaming to work with FlexConnect access points. CCKM fast roaming is achieved by caching a derivative of the master key from a full EAP authentication so that a simple and secure key exchange can take place when a wireless client roams to a different access point. This feature prevents the need to perform a full RADIUS EAP authentication as the client roams from one access point to another. The FlexConnect access points need to obtain the CCKM cache information for all the clients that might associate so they can process it quickly instead of sending it back to the controller.

Note CCKM fast roaming among FlexConnect and non-FlexConnect access points is not supported.

Cycle Threshold Time threshold for a new scanning RF Profile band select cycle period. This setting determines the time threshold during which new probe requests from a client come in a new scanning cycle. The range is from 1 to 1000 milliseconds. The default value is 200.

Suppression Expire Expiration time for pruning previously known 802.11b/g clients. After this time elapses, clients become new and are subject to probe response suppression. The range is from 10 to 200 seconds. The default value is 20 seconds.

Dual Band Expire Expiration time for pruning previously known dual-band clients. After this time elapses, clients become new and are subject to probe response suppression. The range is from 10 to 300. The default value is 60 seconds.

Client RSSI Minimum RSSI for a client to respond to a probe. The range is from –90 to –20 dBm. The default value is –80 dBm.





802.1X Authentication

FlexConnect access points support 802.1X authentication. FlexConnect access points forward the client authentication request to a local (backup) RADIUS server when the access point is in standalone mode (for example, when the WAN link is down or when the access point loses connectivity to the controller).

To enable 802.1X authentication, configure backup RADIUS servers on the FlexConnect access points to authenticate the clients when the access point is in standalone mode.

In standalone mode, if the client is connected and the session timeout has expired, the client reauthenticates with the local backup RADIUS server.

Local authentication is useful when you cannot maintain the criteria that a remote office setup has a minimum bandwidth of 128 Kbps with a round trip latency of no greater than 100 ms and the maximum transmission unit (MTU) no smaller than 500 bytes. In local switching, the authentication capabilities are present in the access point itself. Local authentication reduces the latency requirements of the branch office.

Note Local authentication can only be enabled on the WLAN of a FlexConnect AP that is in local switching mode.

Local authentication is not supported in the following scenarios:

• Guest authentication cannot be done on a FlexConnect local authentication-enabled WLAN.

• RRM information is not available at the controller for the FlexConnect local authentication-enabled WLAN.

• Local RADIUS is not supported.

• Once the client has been authenticated, roaming is only supported after the controller and the other FlexConnect access points in the group are updated with the client information

Note Only the session timeout RADIUS attribute is supported in the standalone mode. All other attributes are not supported.

Note RADIUS accounting is not supported in standalone mode.

Click New to add a new FlexConnect group.

Creating FlexConnect GroupsChoose WIRELESS > FlexConnect Groups and then click New to navigate to the FlexConnect Groups > New page.

This page allows you to create an FlexConnect group.

The number of FlexConnect groups and access point support depends on the platform that you are using. You can configure the following:

• Up to 100 FlexConnect groups for a Cisco 5500 Series Wireless Controller.

• Up to 1000 FlexConnect groups for a Cisco Flex 7500 Series Wireless Controller. The Cisco Flex 7500 Series Wireless Controller can accommodate up to 50 access points per group.



• Up to 2000 FlexConnect groups for a Cisco Flex 8500 Series Wireless Controller. The Cisco Flex 8500 Series Wireless Controller can accommodate up to 100 access points per group.

• Up to 20 FlexConnect groups with up to 25 access points per group for the remaining platforms.

You can add up to 20 FlexConnect groups per controller. For the Cisco 5500 Series Wireless Controller, you can add up to 100 FlexConnect groups.

When the FlexConnect Groups > New page appears, enter the name of the new group in the Group Name text box. You can enter up to 32 alphanumeric characters.


Editing FlexConnect GroupsChoose WIRELESS > FlexConnect Groups and then click a group name to navigate to the FlexConnect Groups > Edit page.

This page enables you to configure or change the various parameters grouped under different tabs for an existing FlexConnect group. The different tabs are as follows:

• General Tab

• Local Authentication Tab

• Image Upgrade Tab

• ACL Mapping Tab

• Central DHCP Tab

• WLAN to VLAN Mapping Tab

• WLAN AVC Mapping Tab

General Tab

This table describes the FlexConnect general parameters.



Group Name Name of the FlexConnect group.

Enable AP Local Authentication

Check box that you can select to enable local AP authentication for a FlexConnect group. The default value is unselected. The FlexConnect AP can be configured as a RADIUS server for LEAP, EAP-FAST, PEAP, or EAP-TLS client authentication.

Note You can configure LEAP, EAP-FAST, PEAP, or EAP-TLS authentication only if AP local authentication is enabled.

FlexConnect APs



Click Add to add the RADIUS server to the list of RADIUS servers.

Local Authentication Tab

This table describes the local authentication parameters.

To add an access point to the group, click Add AP. The Add AP area appears.

To choose an access point that is connected to this controller, select the Select APs from Current Controller check box and then choose the name of the desired access point from the AP Name drop-down list.

Note If you choose an access point on this controller, the MAC address of the access point is automatically entered in the Ethernet MAC field to prevent any mismatches from occurring.

To choose an access point that is connected to a different controller, leave the Select APs from Current Controller check box unselected and then enter its MAC address in the Ethernet MAC text box.

Note If the FlexConnect access points within a group are connected to different controllers, all controllers must belong to the same mobility group.

Click Add to add the access point to this FlexConnect group. The access point's MAC address and name appear at the bottom of the page.

AAA AAA parameters.

Server IP Address IP address of the primary or secondary RADIUS server.

Note IPv6 is not supported for local authentication.

Server Type Drop-down list from which you can choose a primary or secondary RADIUS server. See the RADIUS Authentication Servers topic for more details.

Shared Secret RADIUS server login shared secret.

Port Number Communication port number for the interface protocols. The default port number is 1812.

Note Do not assign the port number that is used by another application. Use the default port or any other port unused by any other application.



Table 5-91 Local Authentication Tab Parameters


Local Users Tab

No of Users Number of users currently associated.

User Name Supported local users.



Add User Users that you can add by either entering the username and password or by uploading a comma-separated values (CSV) file.

Note You can add up to 100 users.

• Upload CSV file—Select this option to upload a CSV file that contains user names and passwords. Each line of the file needs to be in the following format:

username, password

• File Name—Click Browse to browse to the CSV file.

• Username—Enter the username of the client that you want to authenticate using LEAP, EAP-FAST, PEAP, or EAP-TLS.

• Password—Enter the password of the client.

• Confirm Password—Reenter the password of the client.

• Add button—Click to add the user or upload the CSV file.

Remove All Users Click the button to delete all local users.

Protocols Tab

Enable LEAP Authentication

FlexConnect access point to authenticate clients using LEAP. You can configure LEAP authentication only when AP local authentication is configured.

Enable EAP Fast Authentication

FlexConnect access point to authenticate clients using EAP-FAST. You can configure EAP Fast authentication only when AP local authentication is configured.

Server Key (in hex) PACs that you can send automatically to clients that do not have one during PAC provisioning.

You can select the Enable Auto key generation check box to automatically generate the server key.

To use manual PAC provisioning, enter the server key used to encrypt and decrypt PACs in the Server Key and Confirm Server Key fields. The key must be 32 hexadecimal characters.

Authority ID (in hex) Authority identifier of the EAP-FAST server. The identifier must be 32 hexadecimal characters.

Authority Info Authority identifier of the EAP-FAST server in text format. You can enter up to 32 hexadecimal characters.

PAC Timeout (2 to 4095) PAC timeout value. The default value is unselected.

Enter the number of seconds for the PAC to remain viable in the text box. The range is 2 to 4095 seconds.

Enable PEAP Authentication

FlexConnect access point to authenticate clients using PEAP. You can configure PEAP authentication only when AP local authentication is configured.





Image Upgrade Tab

This table describes the image upgrade parameters.

ACL Mapping Tab

This tab consists of the following three tabs:

• AAA VLAN-ACL Mapping Tab

• WLAN-ACL Mapping Tab

• Policies Tab

Enable EAP-TLS Authentication

FlexConnect access point to authenticate clients using EAP-TLS. You can configure EAP-TLS authentication only when AP local authentication is configured.

EAP TLS Certificate Download

Check box that you can select to download the EAP root and device certificate to the access point.



Table 5-92 Image Upgrade Tab Parameters


FlexConnect AP Upgrade FlexConnect AP upgrade that you can enable.

Slave Maximum Retry Count

Maximum number of retries for the preimage download. This option is available if the FlexConnect AP Upgrade option is enabled.

Upgrade Image Drop-down list from which you can choose to download the primary image, store the image as backup, or abort the download. The available options are:

• Primary—Upgrades the primary image of the controller.

• Backup—Upgrades the backup image of the controller.

• Abort—Aborts the image upgrade.

Click the FlexConnect Upgrade button to upgrade the image of the FlexConnect AP.

FlexConnect Master APs


Add Master Adds a master FlexConnect AP.

The following parameters are available:

• Master AP Name

• AP Model

• Manual



AAA VLAN-ACL Mapping Tab

This table describes the AAA VLAN-ACL mapping tab parameters.


Click Add to add a VLAN-ACL mapping.

WLAN-ACL Mapping Tab

This table describes the WLAN-ACL mapping parameters.


Click Add to add a WLAN FlexConnect ACL mapping.

Table 5-93 AAA VLAN-ACL Mapping Tab Parameters


VLAN Id ID of the VLAN for which mapping has to be done.

Ingress ACL Drop-down list from which you can choose the ingress ACL.

Egress ACL Drop-down list from which you can choose the egress ACL.

Table 5-94 WLAN-ACL Mapping Tab Parameters


Web Auth ACL Mapping

WLAN Id ID of the WLAN for which the mapping has to be done.

WebAuth ACL Drop-down list from which you select the WebAuth ACL for external web authentication. Click Add to add the WebAuth ACL mapping.

For more information about creating FlexConnect ACLs, see the Adding Access Control Lists topic.

Note You can configure up to 16 WebAuth ACLs for an access point.

Local Split ACL Mapping


Local-split ACL Drop-down list from which you can choose the Local Split ACL to locally switch traffic in centrally switched WLANs. Click Add to add the local split ACL mapping.

Local-split configuration is applied specific to a WLAN. You can also apply this configuration from a FlexConnect group or from an AP. If the local-split configuration is applied at both the FlexConnect group level and AP level, then the configuration applied at the AP level has higher priority. In other words, the FlexConnect ACL specific to the AP has higher priority.



Policies Tab

This table describes the policies parameters.


Click Add to add a Policy ACL.

Central DHCP Tab

This table describes the central DHCP tab parameters.

WLAN to VLAN Mapping Tab

Until controller Release 7.4, WLAN to VLAN mapping was done per AP. From controller Release 7.5, you can map WLAN to VLAN from the FlexConnect groups. WLAN to VLAN mapping is configured on all the APs in the FlexConnect group and does not override the WLAN to VLAN mapping done on the access points. The order of priority for WLAN to VLAN mappings is highest for AP groups > FlexConnect group > WLAN.

In Release 8.1 VLAN Support/Native VLAN on FlexConnect Group feature is available, which enables you to configure VLAN Support and Native VLAN ID on a FlexConnect Group.

This table describes the WLAN to VLAN mapping parameters.

Table 5-95 Policies Tab Parameters


Policy ACL Drop-down list from which you can select a device-based Policy AC. Click Add to add the Policy ACL.

For more information about creating FlexConnect ACLs, see the Adding Access Control Lists topic.

Note You can configure up to 16 Policy ACLs that are specific to the FlexConnect group.

Table 5-96 Central DHCP Tab Parameters





Click Add to add a WLAN VLAN Mapping.

WLAN AVC Mapping Tab

FlexConnect Groups and OKCFlexConnect Groups enable Optimistic Key Caching (OKC) to enable fast roaming of clients. OKC facilitates fast roaming by using PMK Caching in access points that are in the same FlexConnect group.

This feature prevents the need to perform a full authentication as the client roams from one access point to another. Whenever a client roams from one FlexConnect access point to another, the FlexConnect group access point calculates the PMKID using the cached PMK.

To see the PMK cache entries at the FlexConnect access point, use the show capwap reap pmk command. This feature is supported on Cisco FlexConnect access points.

Note The FlexConnect access point must be in connected mode when the PMK is derived during WPA2/802.1X authentication.

Table 5-97 WLAN to VLAN Mapping Tab Parameters


VLAN Support Enable the VLAN Support check box and enter a Native VLAN ID.

Override Native VLAN on AP

This option overrides the VLAN Support and Native VLAN ID parameters previously configured on the Access points, changes the inheritance level at the AP to “Group-specific”, removes AP Specific WLAN-VLAN Mappings and pushes the group-specific configuration including WLAN-VLAN Mapping configured on the group to all the APs in that group.

When the override flag is set at the FlexConnect Group, modification of VLAN Support, Native VLAN ID, WLAN-VLAN Mappings and Inheritance-Level at the AP is not allowed


Vlan Id ID of the VLAN.

Table 5-98 WLAN AVC Mapping Tab Parameters



Application Visibility Enable the Application Visibility on the FlexConnect Group

Flex AVC Profile Apply the FlexConnect AVC profile


Chapter 5 Wireless Tab FlexConnect ACLs

FlexConnect ACLsWith FlexConnect ACLs, you can control access at the FlexConnect AP for protection and integrity of locally switched data traffic from the AP. Using the controller, you can create FlexConnect ACLs and then configure the FlexConnect ACL with the WLAN using WLAN-ACL mapping. These are then pushed to the AP.

Choose WIRELESS > FlexConnect ACLs to navigate to the FlexConnect ACLs page.

This page enables you to list the ACLs configured for FlexConnect access points. To remove a FlexConnect ACL, click the blue arrow adjacent the access point and choose Remove.

Click New to open the Access Control Lists > New page.

Adding FlexConnect ACLsChoose WIRELESS > FlexConnect ACLs and click New. This page enables you to create an ACL. Enter the FlexConnect ACL name in the Access Control List Name text box.

Click Apply to create a new FlexConnect ACL with the configured name.

Editing Access Control ListChoose WIRELESS > FlexConnect ACLs and click the ACL name of an existing ACL to open the Access Control List > Edit page.

This table describes the FlexConnect ACL parameters.

Table 5-99 FlexConnect Access Control List Parameters


General

Access List Name Name of the FlexConnect ACL.

Seq Up to 64 rules can be defined for each ACL.

The rules for each ACL are listed in a contiguous sequence from 1 to 64. If rules 1 through 4 are already defined and you add rule 29, it is added as rule 5.

Note If you add or change a sequence number, the operating system adjusts the other rule sequence numbers to retain the contiguous sequence. For instance, if you have sequence numbers 1 through 7 defined and change number 7 to 5, the operating system automatically reassigns sequence 6 to 7 and sequence 5 to 6.

Action Deny or Permit.

Note The default filter is to deny all access unless a rule explicitly permits it.

Source IP/Mask Any or IPv4 or IPv6 address and netmask. For IPv4 addresses, the netmask is displayed and for IPv6 addresses, the prefix length is displayed.



Click Add a New Rule to add a new rule to an existing ACL.

Adding FlexConnect ACL RulesChoose SECURITY > Access Control List > FlexConnect ACLs to navigate to the FlexConnect Access Control Lists page. Click an ACL name of an existing ACL to open the Access Control List > Edit page and click Add New Rule button to create a new ACL Rule.

This table describes the FlexConnect New ACL parameters.

Destination IP/Mask Any or IPv4 or IPv6 address and netmask. For IPv4 addresses, the netmask is displayed and for IPv6 addresses, the prefix length is displayed.

Protocol Protocol to use for this ACL:

• Any—All protocols

• TCP—Transmission Control Protocol

• UDP—User Datagram Protocol

• ICMP—Internet Control Message Protocol (For IPv4 ACL)

• ICMPv6-Internet Control Message Protocol (For IPv6 ACL)

• ESP—IP Encapsulating Security Payload

• AH—Authentication Header

• GRE—Generic Routing Encapsulation

• IP—Internet Protocol

• Eth Over IP—Ethernet over Internet Protocol

• OSPF—Open Shortest Path First

• Other—Any other IANA protocol (Go to IANA Website)

Source Port Any or IP address and netmask.

Dest Port Any or IP address and netmask.

DSCP Any or Specific (from 0 to 63) Differentiated Services Code Point (DSCP). A packet header code that can be used to define quality of service (QoS) across the Internet.





Table 5-100 FlexConnect ACL New Rule Parameters


Sequence Operator that can define up to 64 rules for each ACL.

The rules for each ACL are listed in a contiguous sequence from 1 to 64. If rules 1 through 4 are already defined and you add rule 29, it is be added as rule 5.

Note If you add or change a sequence number, the Operating System adjusts the other rule sequence numbers to retain the contiguous sequence. For instance, if you have sequence numbers 1 through 7 defined and change number 7 to 5, the Operating System automatically reassigns sequence 6 to 7 and Sequence 5 to 6.

Source Any or IPv4 or IPv6 address and netmask. For IPv4 addresses, the netmask is displayed and for IPv6 addresses, the prefix length is displayed.

Destination Any or IPv4 or IPv6 address and netmask. For IPv4 addresses, the netmask is displayed and for IPv6 addresses, the prefix length is displayed.

Protocol

Note When you select some of these protocols, one or more additional data entry fields open up. Enter the port number in a single data entry field, or enter the source and destination port when there are two data entry fields.

Protocol to use for this ACL:












• Other—Any other IANA protocol (Go to IANA’s Website)


Chapter 5 Wireless Tab 802.11a/n/ac Global Parameters

802.11a/n/ac Global ParametersChoose WIRELESS > 802.11a/n/ac > Global Parameters to navigate to the 802.11a/n/ac Global Parameters page. This page enables you to change the global parameters of your 802.11a/n network.

This table describes the 802.11a/n global parameters.

DSCP Any or Specific (from 0–63) Differentiated Services Code Point (DSCP). A packet header code that can be used to define quality of service across the Internet.





Table 5-101 802.11a/n Global Parameters


802.11a Network Status 802.11a/n network status.

Note You must enable this option to enable the 802.11a/n network after configuring other 802.11a/n parameters. This option enables only the global Cisco WLAN Solution 802.11a/n network. To disable the 802.11a, 802.11b, 802.11g, and/or 802.11n networks for an individual WLAN, see the Editing WLANs page.

Beacon Period Rate (in milliseconds) at which the SSID is broadcast by the access point. Valid values are from 100 to 600; the default is 100.

Fragmentation Threshold Fragmentation threshold that you can set. Valid values are from 256 to 2346 bytes; the default is 2346.

DTPC Support DTPC support. Enable this option to advertise the transmit power level of the radio in the beacons and the probe responses.

Maximum Allowed Clients

Maximum clients allowed per radio.

RSSI Low Check Check box that you can enable to reject a client association request if the Received Signal Strength Indicator (RSSI) is lower than the configured RSSI threshold.

RSSI Threshold RSSI Threshold that is used to reject the client association request. The range is from –60 to –90 dBm. The default value is –80 dBm.

802.11a Band Status 802.11a/n low-band, mid-band, and high-band statuses.




802.11a/n/ac RF GroupingChoose WIRELESS > 802.11a/n/ac > RRM > RF Grouping to navigate to the RF Groupingpage.

This page enables you to edit the RF grouping characteristics.

This table describes the RF grouping algorithm parameters.

Data Rates Data rates that are negotiated here are negotiated between the client and the Cisco WLC. If the data rate is set to Mandatory, the client must support it in order to use the network. If a data rate is set as Supported by the Cisco WLC, the client may negotiate for the respective rate. Each data rate can also be set to Disabled to match client settings.

CCX Location Measurement

Mode that enables CAPWAP access points to issue broadcast Radio Measurement Request messages to Cisco Compatible Extensions (V2 and higher) clients. This Measurement Request message is repeated periodically for every SSID over each enabled radio interface based on the specified interval. The response from the client is used to improve accuracy in location measurement.

Interval (seconds)—Interval of the broadcast Radio Measurement Request messages.

Table 5-101 802.11a/n Global Parameters




Table 5-102 RF Grouping Algorithm Parameters


Group Mode RF grouping that can be configured in any of these modes:

• leader

Note IPv6 is supported for RF grouping in static-leader mode.

• auto

Note IPv6 is not supported for RF grouping in auto mode. It supports only IPv4.

• off. When the group mode is off, no RF grouping occurs.

When a controller reboots, it starts by being a standalone leader to itself. In auto mode, the controllers form an RF group and elect an auto leader (group mode is auto mode) if the neighboring APs are in the same RF domain.

In static mode, the user can configure the static leader by selecting the leader from the group mode drop-down list. The members’ management IP addresses and system name are used to request the member to join the static-leader.

Note A static leader is not allowed to become a member of another controller until its mode is auto.

Note A controller with a lower priority cannot assume the role of a group leader if a controller with a higher priority is available in the RF group.

Click Restart to restart the RRM RF grouping.

Group Role Current role of the controller.

Group Update Interval Interval (in seconds) that represents the period with which the grouping algorithm is run by the group leader. The Grouping algorithm also runs when the group contents change and automatic grouping is enabled. A dynamic grouping can be started upon request from the system administrator. This value is set at 600 seconds.



RF Group Members

This table describes the RF group parameters.

You can add a controller as a static group member by specifying the controller name and the management IP address. Click Add to add the controller as an RF group member.

When adding RF group members, the leader can allow the number of group members based on the following criteria:

• Maximum number of APs supported: The maximum limit for the number of access points in an RF group is 1000 or twice the maximum number APs licensed on the controller.

• Twenty controllers: Only 20 controllers (including the leader) can be part of an RF group if the sum of the access points of all controllers combined is less than or equal to the upper access point limit.

Note If a controller cannot be added as a static RF group member, the reason is indicated in parentheses.

Group Leader Name and IPv4/IPv6 address of the group leader for the group that contains the Cisco WLC.

The RF Group Leader can be configured in two ways, as follows:

• Auto Mode—In this mode, the members of an RF group elect an RF group leader to maintain a “master” power and channel scheme for the group. The RF grouping algorithm dynamically chooses the RF group leader and ensures that an RF group leader is always present. Group leader assignments can and do change (for instance, if the current RF group leader becomes inoperable or if RF group members experience major changes).

• Static Mode—In this mode, the user selects a controller as an RF Group leader manually. In this mode, the leader and the members are manually configured and are therefore fixed. If the members are unable to join the RF Group, the reason is indicated. The leader tries to establish a connection with a member every 1 (one) minute if the member has not joined in the previous attempt.

Last Group Update Elapsed time since the last group update in seconds. This parameter is only valid if this Cisco WLC is a group leader.



Table 5-103 RF Group Members


Controller Name controller on which the RF Group is created.

IP Address (IPv4/IPv6) IPv4/IPv6 address of the controller that belong to a RF group.

Note IPv6 is supported only for leader type (static-leader) of RF grouping.




802.11a/n/ac Tx Power ControlChoose WIRELESS > 802.11a/n/ac > RRM > TPC to navigate to this page.

This page enables you to edit the transmit power control (TPC) parameters.

Tx Power-Level Assignment

The TPC algorithm balances RF power in many diverse RF environments. Automatic power control may not be able to resolve some scenarios in which an adequate RF design was not possible to implement due to architectural restrictions or site restrictions—for example, when all access points must be mounted in a central hallway, placing the access points close together, but requiring coverage out to the edge of the building.

In these scenarios, you can configure maximum and minimum transmit power limits to override TPC recommendations. The maximum and minimum TPC power settings apply only to access points that are attached to a controller from which they are configured. The default settings disable this feature, and you should use care when overriding TPC recommendations.

To set the Maximum Power Level Assignment and Minimum Power Level Assignment text boxes, enter the maximum and minimum transmit power used by RRM on the Tx Power Control page. The range for these parameters is –10 to 30 dBm. The minimum value cannot be greater than the maximum value; the maximum value cannot be less than the minimum value.




TPC Version Transmit Power Control version to be chosen from the following options:

• Interference Optimal Mode (TPCv2)—For scenarios where voice calls are extensively used. Transmit power is dynamically adjusted with the goal of minimum interference. It is suitable for dense networks. In this mode, there might be more frequent roaming and coverage hole incidents.

• Coverage Optimal Mode (TPCv1)—(Default) Offers strong signal coverage. Power can be kept low to gain extra capacity and reduce interference.

Power Level Assignment Method

Dynamic transmit power assignment has three modes:

• Automatic—(Default) The transmit power is periodically updated for all access points that permit this operation.

• On Demand—The transmit power is updated when the Invoke Power Update Now is clicked.

• Fixed—No dynamic transmit power assignments occur and values are set to their global default.




Maximum Power Level Assignment (–10 to 30 dBm)

Maximum power level assignment on this radio.

Note If you configure a maximum transmit power, RRM does not allow any access point attached to the controller to exceed this transmit power level (whether the power is set by RRM TPC or by coverage hole detection). For example, if you configure a maximum transmit power of 11 dBm, then no access point would transmit above 11 dBm, unless the access point is configured manually.

The range is from –10 to 30 dBm.

The default is 30.

Minimum Power Level Assignment (-10 to 30 dBm)

Minimum power level assignment on this radio.

The range is from –10 to 30 dBm.


Power Threshold Cutoff signal level used by RRM when determining whether to reduce an access point’s power.

The default value for this parameter varies depending on the TPC version you choose. For TPCv1, the default value is –70 dBm, and for TPCv2, the default value is –67 dBm. The default value can be changed when access points are transmitting at higher (or lower) than desired power levels. The range for this parameter is –80 to –50 dBm.

Increasing this value (between –65 and –50 dBm) causes the access points to operate at higher transmit power levels. Decreasing the value has the opposite effect.

Note In applications with a dense population of access points, it may be useful to decrease the threshold to –80 or –75 dBm in order to reduce the number of BSSIDs (access points) and beacons seen by the wireless clients. Some wireless clients might have difficulty processing a large number of BSSIDs or a high beacon rate and might exhibit problematic behavior with the default threshold.

Power Neighbor Count Minimum number of neighbors that an access point must have for the transmit power control algorithm to run.

Power Assignment Leader Name and IP address of the power level assignment leader.

Last Power Level Assignment Elapsed time since the last transmit power assignment in seconds.





802.11a/n/ac Dynamic Channel AssignmentChoose WIRELESS > 802.11a/n/ac > RRM > DCA to navigate to the Dynamic Channel Assignment page.

This page enables you to specify the channels that the dynamic channel assignment (DCA) algorithm considers when selecting the channels to be used for RRM scanning.

This functionality is helpful when you know that the clients do not support certain channels because they are legacy devices or they have certain regulatory restrictions.

Information About the RRM Start-Up Mode

• For a single controller setup, RRM start-up mode will take effect after a controller reboot.

• For a multicontroller setup, RRM start-up mode will take effect after RF Group leader election.

• The RRM start-up mode runs for 100 minutes (10 iterations at a 10-minute interval).

• The duration of the start-up mode is independent of the DCA interval, sensitivity, and network size.

• DCA start-up mode consists of 10 DCA runs with high sensitivity (making channel changes easy and sensitive to the environment) to converge to a steady state channel plan.

• After the start-up mode is finished, DCA continues to run at the interval and sensitivity specified by the user.

Dynamic Channel Assignment Algorithm

This table describes the DCA algorithm parameters.



Table 5-105 DCA Algorithm Parameters


Channel Assignment Method DCA has three modes:

• Automatic—Mode that periodically updates the channel assignments for all access points that permit this operation.

– Interval—How often the DCA algorithm has been configured to run.

Note If your controller supports only OfficeExtend access points, we recommend that you set the DCA interval to 6 hours for optimal performance. For deployments with a combination of OfficeExtend access points and local access points, the range of 10 minutes to 24 hours can be used.

– Anchor Time—The time of day when the DCA algorithm has been configured to start. The range is from 0 to 23 (12:00 a.m. to 11:00 p.m.)

• Freeze—Mode that causes the controller to evaluate and update the channel assignment for all joined access points, if necessary, but only when you click Invoke Channel Update Once.

Note The controller does not evaluate and update the channel assignment immediately after you click Invoke Channel Update Once. It waits for the next interval to elapse.

• OFF—Mode that turns off DCA and sets all access point radios to the first channel of the band, which is the default value. If you choose this option, you must manually assign channels on all radios.

The default is Automatic.

Avoid Foreign AP Interference Radio Resource Management (RRM) Foreign 802.11 interference-monitoring parameter that you can enable Radio Resource Management to consider interference from foreign (non-Cisco access point outside the RF/mobility domain) access points when assigning channels to Cisco access points. You can disable this parameter to have Radio Resource Management ignore this interference.

In certain circumstances with significant interference energy (dBm) and load (utilization) from Foreign APs, Radio Resource Management may adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the Foreign APs to increase capacity and reduce variability for the Cisco WLAN Solution.



Avoid Cisco AP Load Radio Resource Management (RRM) bandwidth-sensing parameter that you can enable or disable to have controllers consider the traffic bandwidth used by each access point when the controller assigns channels to the access points. Disable this parameter to have Radio Resource Management ignore this value. The default is enabled.

In certain circumstances and with denser deployments, there may not be enough channels to properly create perfect channel reuse. In these circumstances, Radio Resource Management can assign better reuse patterns to those access points that carry more traffic load.

Avoid non-802.11a Noise Radio Resource Management (RRM) noise-monitoring parameter that you can enable to have access points avoid the channels that have interference from nonaccess point sources, such as microwave ovens or Bluetooth devices. You can disable this parameter to have Radio Resource Management ignore this interference. The default is enabled.

In circumstances with significant interference energy (dBm) from non-802.11 noise sources, Radio Resource Management may adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the noise sources to increase capacity and reduce variability.

Avoid Persistent Non-WiFi Interference

Persistent non-Wi-Fi interference devices that you can enable or disable.

Channel Assignment Leader Name and IP address of the channel assignment leader. This is the MAC address of the group leader.

Last Auto Channel Iteration Last time that the Radio Resource Management (RRM) evaluated the current channel assignment on a periodic basis. This parameter does not imply that channels have changed, only that the Radio Resource Management has made an evaluation of the current assignment.

DCA Channel Sensitivity Configured DCA sensitivity setting.

This setting determines how sensitive the DCA algorithm is to environmental changes, such as signal, load, noise, and interference, when determining whether to change channels.

Note To see why the DCA algorithm changed channels, click Monitor and then View All under Most Recent Traps. The trap provides the MAC address of the radio that changed channels, the previous channel and the new channel, the reason why the change occurred, the energy before and after the change, the noise before and after the change, and the interference before and after the change.





DCA Channel List

This table describes the DCA channel list parameters.

Channel Width1 Channel bandwidth supported for all the 802.11n/ac radios in the 5-GHz band: 20 MHz, 40 MHz, or 80 MHz.

40-MHz channelization allows radios to achieve higher instantaneous data rates (potentially 2.25 times higher than 20-MHz channels).

Note If you choose 40 MHz, be sure to choose at least two adjacent channels from the DCA Channel List (for example, a primary channel of 36 and an extension channel of 40). If you choose only one channel, that channel is not used for 40-MHz channel width.

Note You cannot pair the following channels together: 116 and 112, 140 and 136, and 165 and 161.

80 MHz channelization allows radios to achieve Very High Throughput (VHT). Adjacent 40-MHz subchannels are grouped into pairs to make 80-MHz channels.

• If you choose 80 MHz for 802.11ac capable radios, ensure that you choose four adjacent 20-MHz channels from the DCA Channel List. You can select the primary channel and based on the available channel pairing you can configure appropriate secondary 20-MHz and 40-MHz extension channels for the radio.

Avoid check for non-DFS channel.

Check for non-DFS channels that you can enable or disable.

DCA configuration requires at least one non-DFS channel to the list. In the EU countries, outdoor deployments do not support non-DFS channels. Customers based in EU or regions with a similar regulation must enable this option.

1. To override the globally configured DCA channel width setting, you can statically configure an access point’s radio for 20-MHz, 40-MHz, or 80-MHz mode on the Configuring 802.11a/n APs page. If you change the static RF channel assignment method to Global on the access point radio, the global DCA configuration overrides the channel width configuration that the access point was previously using.





Event Driven RRM

This table describes the event driven RRM parameters.

Table 5-106 DCA Channel List Parameters


DCA Channels DCA channels currently selected.

Channel list Channel list you can choose or exclude a channel.

Note The following extended UNII-2 channels have been removed from the channel list:

100, 104, 108, 112, 116, 132, 136, 140

If you have Cisco Aironet 1520 mesh access points in the -E domain, you must include these channels in the DCA channel list before you start operation. If you are upgrading from a previous release, verify that these channels are included in the DCA channel list.

To include these channels in the channel list, enable the Extended UNII-2 channels option.

The channels are as follows:

36, 40, 44, 48, 52, 56, 60, 64, 149, 153, 157, 161, 165,

The default channels are as follows:

36, 40, 44, 48, 52, 56, 60, 64, 149, 153, 157, 161

4.9 GHz Channel list Channel range 1 through 26 that you can choose or include in a channel.

These channels are supported on Cisco Aironet 1520 series mesh access points. The 4.9-GHz band is for public safety client access traffic only.

Extended UNII-2 channels

Extended UNII-2 channels (100, 104, 108, 112, 116, 132, 136, 140) in the channel list that you can enable or disable. The default is unselected.

India Extended UNII-3 channels

India Extended UNII-3 channels (169 and 173) in the channel list that you can enable or disable. The default is unselected.




802.11a/n/ac Coverage Hole DetectionChoose WIRELESS > 802.11a/n/ac > RRM > Coverage to navigate to the Coverage page.

This page enables you to configure coverage-hole detection or to specify the Received Signal Strength Indicator (RSSI) parameters.

Coverage Parameters

This table describes the RRM coverage parameters.

Table 5-107 Event Driven RRM Parameters


EDRRM EDRRM that you can enable or disable. Radio Resource Management (RRM) to run when a CleanAir-enabled access point detects a significant level of interference.

If enabled, set the sensitivity threshold level (below) at which the RRM is invoked. The default is enabled.

Sensitivity Threshold Configured sensitivity threshold setting at which the RRM is invoked.

The available values are Low, Medium, High, or Custom. When the interference level of the access point raises above the threshold level, RRM initiates a local Dynamic Channel Assignment (DCA) run and changes the channel of the affected access point radio if possible to improve performance. Low represents a decreased sensitivity to changes in the environment while High represents an increased sensitivity. The default value is Medium.

Custom Sensitivity Threshold Custom sensitivity threshold that you can enter. This field is displayed if the Sensitivity Threshold is set to custom.

Rogue Contribution Check box to configure the Rogue Duty Cycle

Rogue Duty-Cycle Proportion of time (in percentage) during which the interfering device was active. Valid range is 1% to 99%.



802.11a/n/ac RRMChoose WIRELESS > 802.11a/n/ac > RRM > General to navigate to the General page.

This page enables you to specify general radio resource management (RRM) parameters.

Profile Thresholds For Traps

This table describes the profile threshold parameters.

Noise/Interference/Rogue Monitoring Channels

This table describes the Noise/Interference/Rogue monitoring channel parameters.

Table 5-108 RRM Coverage Parameters


General

Enable Coverage Hole Detection

Coverage Hole Detection (CHD) that you can enable or disable. The default is enabled.

Coverage Threshold

Data RSSI (–60 to –90 dBm) Data RSSI threshold in dBm.


Voice RSSI (–60 to –90 dBm) Voice RSSI threshold in dBm.


Min Failed Client Count per AP (1 to 75)

Minimum number of clients on an access point with a RSSI below the coverage threshold.

The default is 3.

Coverage exception level per AP (0 to 100%)

Maximum desired percentage of clients on the radio of an access point operating below the desired coverage threshold.

The default is 25.

Table 5-109 Profile Threshold Parameters


Interference (0 to 100%) Foreign 802.11a/n/ac interference threshold between 0 and 100 percent. The default is 10.

Clients (1 to 75) Client threshold between 1 and 75 clients. The default is 12.

Noise (-127 to 0 dBm) Foreign noise threshold between –127 and 0 dBm. The default is –70.

Utilization (0 to 100%) 802.11a/n/ac RF utilization threshold between 0 and 100 percent. The default is 80.



Monitor Intervals

This table describes the monitor interval parameters.

Click Set to Factory Default to set all Auto RF 802.11a parameters to the factory defaults.


Table 5-110 Noise/Interference/Rogue Monitoring Channel Parameters


Channel List Country Channels drop-down list. Choose one of the following:

• All Channels—RRM channel scanning occurs on all channels supported by the selected radio, which includes channels not allowed in the country of operation.

• Country Channels (default)—RRM channel scanning occurs only on the data channels in the country of operation.

• DCA Channels—RRM channel scanning occurs only on the channel set used by the dynamic channel assignment algorithm, which by default includes all of the nonoverlapping channels allowed in the country of operation. However, you can use the 802.11a/n/ac Dynamic Channel Assignment page to specify the channel set to be used by DCA.

Table 5-111 Monitor Interval Parameters


Channel Scan Interval Interval (in seconds) at which the channel scanning occurs.

The default is 60.

Note If your controller supports only OfficeExtend access points, we recommend that you set the channel scan duration to 1800 seconds for optimal performance. For deployments with a combination of OfficeExtend access points and local access points, the range of 60 to 3600 seconds can be used.

Neighbor Packet Frequency Interval (in seconds) for how frequently the neighbor packets (messages) are sent, which eventually builds the neighbor list.

The default is 60.

Note If your controller supports only OfficeExtend access points, we recommend that you set the neighbor packet frequency to 600 seconds for optimal performance. For deployments with a combination of OfficeExtend access points and local access points, the range of 60 to 3600 seconds can be used.

Note The range is from 60 to 3600 seconds.



802.11a/n/ac Client RoamingChoose WIRELESS > 802.11a/n/ac > Client Roaming to navigate to the Client Roaming page.

This page enables you to set seamless client roaming within subnets across access points and virtual LANs (VLANs) under Layer 2 security, and between subnets under Layer 3 security.

CCX-capable clients after association receive a list of neighboring APs, which is used by the clients for selecting the appropriate APs while roaming. This list improves the roaming time. The values for RSSI and Hysteresis are used for fine tuning the roaming behavior and neighbor list.

This table describes the 802.11a/n/ac client roaming parameters.

Table 5-112 802.11a/n/ac Client Roaming Parameters

RF Parameters Description

Mode Mode that you can set to either default or custom.

Note The following fields can be changed when you choose Custom mode.

Minimum RSSI Minimum received signal strength indicator (RSSI) required for the client to associate to an access point. If the client’s average received signal power dips below this threshold, reliable communication is usually impossible. Therefore, clients must already have found and roamed to another access point with a stronger signal before the minimum RSSI value is reached.

The actual value is in dBm (the range is from –50 to –90; the default is –85).

Hysteresis Signal strength of a neighboring access point to enable a client to roam to it. This parameter is intended to reduce the amount of roaming between access points if the client is physically located on or near the border between two access points.

The actual value is in dB (the range is from 3 to 20; the default is 3).

Scan Threshold RSSI value from a client’s associated access point below which the client must be able to roam to a neighboring access point within the specified transition time. This parameter also provides a power-save method to minimize the time that the client spends in active or passive scanning. For example, the client can scan slowly when the RSSI is above the threshold and scan more rapidly when below the threshold.

Actual value in dBm (the range is from –50 to –90; the default value is –72).

Transition Time Maximum time allowed for the client to detect a suitable neighboring access point to roam to and to complete the roam, whenever the RSSI from the client’s associated access point is below the scan threshold.

The actual value is in seconds (the valid range is from 1 to 5; the default value is 5).

Note For high-speed client roaming applications in outdoor mesh environments, we recommend a setting of 1 second.




802.11a/n/ac Voice ParametersChoose WIRELESS > 802.11a/n/ac > Media to navigate to the Media page and click on the Voice tab.

This page enables you to set the parameters to adjust the voice quality over the 802.11a/n/ac link.

Guidelines

• Disable all WMM-enabled WLANs before changing voice parameters. Enable the WMM-enabled WLANs again after you have applied the voice settings.

• SIP CAC should only be used for phones that support status code of 17 and do not support TSPEC-based admission control.

• SIP CAC will be supported only if SIP snooping is enabled.

This table describes the 802.11a/n/ac voice CAC parameters.

Table 5-113 802.11a/n/ac Voice CAC Parameters


Admission Control (ACM) Voice CAC that you can enable for this radio band. The default is disable.

For more information, see the “Call Admission Control” topic.

CAC Method CAC method to use. Use Load Based to enable channel-based CAC and use Static to enable bandwidth-based CAC. The default is load-based CAC.

For more information, see the “Load-Based CAC” topic.

Max RF Bandwidth (%) Percentage of the maximum bandwidth allocated to clients for voice applications on this radio band that you can set. Once the client reaches the value specified, the access point rejects new calls on this radio band.

The default value is 75%; valid values are from 5% to 85%.

Reserved Roaming Bandwidth (%) Percentage of maximum allocated bandwidth reserved for roaming voice clients. The controller reserves this much bandwidth from the maximum allocated bandwidth for roaming voice clients.


Expedited Bandwidth Parameter that enables CCXv5 clients to indicate the urgency of a WMM traffic specifications (TSPEC) request (for example, an e911 call) to the WLAN. This setting is disabled by default.

For more information, see the “Expedited Bandwidth Request” topic.

SIP CAC Support SIP CAC support that you can enable. The default is disabled.

Note To use SIP CAC, you must enable SIP snooping.



Note SIPs are available only on the following controllers: Cisco 4400, Cisco 2504, 5500, 7500, 8500 Series Wireless Controllers and on 1240, 1130, and 11n access points.

This table describes the 802.11a/n/ac TSM parameters.

Call Admission Control

Call admission control (CAC) enables an access point to maintain controlled quality of service (QoS) when the wireless LAN is experiencing congestion.

Per-call SIP BandwidthNote SIP CAC should only be used for phones that do not support TSPEC-based admission control.

SIP Codec Codec name that you want to use on this radio. The available options are G.711, G.729, and User Defined.

SIP Bandwidth (kbps) Bandwidth in kilobits per second that you want to assign per SIP call on the network. This parameter can be configured only when the SIP Codec selected is User Defined.

The default value is 64; valid values are from 8 to 64.

Note The SIP Bandwidth (Kbps) text box is highlighted only when you select the SIP codec as user-defined. If you choose the SIP codec as G.711, the SIP Bandwidth (Kbps) text box is set to 64. If you choose the SIP codec as G.729, the SIP Bandwidth (Kbps) text box is set to 8.

SIP Voice Sample Interval (msecs) Sample interval in milliseconds that the codec must operate.

Note If SIP CAC is supported and CAC method is static, the Maximum Possible Voice Calls and Maximum Possible Roaming Reserved Calls fields are displayed.

Maximum Possible Voice Calls Maximum possible voice calls that can be made. This option is displayed if the SIP CAC method is static.

Maximum Possible Roaming Reserved Calls

Maximum possible roaming reserved calls that can be made. This option is displayed if the SIP CAC method is static.

Traffic Streams Metrics

Metrics Collection TSM Metrics that you can enable or disable.

Table 5-113 802.11a/n/ac Voice CAC Parameters


Table 5-114 802.11a/n/ac TSM Parameter


Metrics collection TSM collection.

For more information, see the “Traffic Stream Metrics” topic.



CAC enables the client to specify how much bandwidth or shared medium time would be required to accept a new call and in turn enables the access point to determine whether it is capable of accommodating this particular call. The access point rejects the call if necessary in order to maintain the maximum allowed number of calls with acceptable quality.

To use CAC with voice applications, follow these steps:

Step 1 Configure the WLAN for Platinum QoS.

Step 2 Enable the Wi-Fi Multimedia (WMM) protocol for the WLAN.

Note You must enable admission control (ACM) for CCXv4 clients that have WMM enabled. Otherwise, CAC does not operate properly.

Unscheduled automatic power save delivery (U-APSD) is enabled automatically when WMM is enabled. U-APSD is a QoS facility defined in IEEE 802.11e that extends the battery life of mobile clients. In addition to extending battery life, this feature reduces the latency of traffic flow delivered over the wireless media. Because U-APSD does not require the client to poll each individual packet buffered at the access point, it allows delivery of multiple downlink packets by sending a single uplink trigger packet.

Bandwidth-Based CAC

Bandwidth-based, or static, CAC enables the client to specify how much bandwidth or shared medium time is required to accept a new call and in turn enables the access point to determine whether it is capable of accommodating this particular call. The access point rejects the call if necessary in order to maintain the maximum allowed number of calls with acceptable quality.

Note You must enable admission control (ACM) for CCXv4 clients that have WMM enabled. Otherwise, bandwidth-based CAC does not operate properly.

Load-Based CAC

Load-based CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types from itself, from co-channel access points, and by collocated channel interference. Load-based CAC also covers the additional bandwidth consumption results from PHY and channel impairment.

In load-based CAC, the access point periodically measures and updates the utilization of the RF channel, channel interference, and the additional calls that the access point can admit. The access point admits a new call only if the channel has enough unused bandwidth to support that call. Load-based CAC prevents oversubscription of the channel and maintains QoS under all conditions of WLAN loading and interference.

Expedited Bandwidth Request

The expedited bandwidth request feature enables CCXv5 clients to indicate the urgency of a WMM traffic specification (TSPEC) request (for example, an e911 call) to the WLAN. When the controller receives this request, the controller attempts to facilitate the urgency of the call in any way possible without potentially altering the quality of other TSPEC calls that are in progress.

You can apply expedited bandwidth requests to both static and load-based CAC.



Expedited bandwidth requests are disabled by default. If you configured the WLAN in such a way that it does not support CCX V5 or if you disabled expedited bandwidth requests, the controller ignores all expedited requests and processes TSPEC requests as normal TSPEC requests.

The following table provides examples of TSPEC request handling for normal TSPEC requests and expedited bandwidth requests.

This table describes the expedited bandwidth request parameters.

Traffic Stream Metrics

In a Voice-over-Wireless LAN (VoWLAN) deployment, four variables can affect audio quality: packet latency, packet jitter, packet loss, and roaming time. These variables are referred to as traffic stream metrics (TSM). An administrator can isolate poor voice quality issues by studying these variables.

You can configure TSM on each radio-band (for example, all 802.11a radios). The controller saves the configuration in flash memory so that it persists across reboots. After an access point receives the configuration from the controller, it enables TSM on the specified radio band.

Note Access points support TSM in both local and FlexConnect modes.


Table 5-115 Expedited Bandwidth Request Parameters

CAC Mode

Reserved bandwidth for voice calls1

1. For the static (bandwidth-based) CAC, the voice call bandwidth usage is per access point and does not take into account co-channel access points. For load-based CAC, the voice call bandwidth usage is measured for the entire channel.

Usage2

2. Static CAC (consumed voice and video bandwidth) or load-based CAC (channel utilization [Pb]).

Normal TSPEC Request

TSPEC with Expedited Bandwidth Request

Static CAC 75% (default setting)

Less than 75% Admitted Admitted

Between 75% and 90% (reserved bandwidth for voice calls exhausted)

Rejected Admitted

More than 90% Rejected Rejected

Load-based CAC



Rejected Admitted

More than 90% Rejected If the voice traffic load is light relative to the data traffic load, then it is admitted. Otherwise, rejected



802.11a/n/ac Video ParametersChoose WIRELESS > 802.11a/n/ac > Media to navigate to the Media page and click the Video tab.

This page enables you to set video quality parameters over the 802.11a link.

Note Disable all WMM-enabled WLANs before changing video parameters. Re-enable the WMM-enabled WLANs after you have applied the video settings.

This table describes the 802.11a/n/ac video parameters.


802.11a/n/ac Media ParametersChoose WIRELESS > 802.11a/n/ac > Media to navigate to the Media page and click the Media tab. This page enables you to set voice and video quality parameters over the 802.11a link.

This table describes the media stream multicast direct parameters.

Table 5-116 802.11a/n/ac Video Parameters


Admission Control (ACM) Video CAC for this radio band that you can enable or disable. The default is unselected.

CAC Method CAC method to use. Use Load Based to enable channel-based CAC and use Static to enable bandwidth-based CAC. The default is load-based CAC.

For more information, see the “Bandwidth-Based CAC” and “Load-Based CAC” topics.

Max RF Bandwidth (%) Percentage of the maximum bandwidth allocated to clients for video applications on this radio band. Once the client reaches the value specified, the access point rejects new requests on this radio band.

The range is from 5 to 85%; however, the maximum RF bandwidth cannot exceed 85% for voice and video. The default value is 0%.

Reserved Roaming Bandwidth (%)

Percentage of maximum allocated bandwidth reserved for roaming video clients. The controller reserves this much bandwidth from the maximum allocated bandwidth for roaming video clients.

The range is from 0 to 25%. The default is 0%.

Table 5-117 Media Stream Multicast Direct Parameters


Unicast Video Redirect Unicast video direct that you can enable or disable for this radio. The default is enabled.

Multicast Direct Admission Control


Chapter 5 Wireless Tab 802.11 EDCA Parameters

802.11 EDCA ParametersChoose WIRELESS > 802.11a/n/ac or 802.11b/g/n > EDCA Parameters to navigate to the EDCA Parameters page.

This page enables you to configure enhanced distributed channel access (EDCA) parameters. EDCA parameters are designed to provide preferential wireless channel access for voice, video, and other quality of service (QoS) traffic.

Note You must disable the radio network before configuring the EDCA parameters. To disable the radio network, go to the 802.11a/n/ac Global Parameters page, unselect the 802.11a Network Status check box, and click Apply.

Maximum Media Bandwidth Percentage of the maximum bandwidth to be allocated for media applications on this radio band. Once the client reaches a specified value, the access point rejects new calls on this radio band.

The default value is 85% and the range is from 5 to 85%.

Client Minimum Phy Rate Minimum transmission data rate in kbps at which the client can operate.

If the transmission data rate is below the phy rate, either the video will not start or the client may be classified as a bad client. The bad client video can be demoted for better effort QoS or subject to denial.

Maximum Retry Percent Percentage of maximum retries that are allowed. The default value is 80. If it exceeds 80, either the video will not start or the client might be classified as a bad client. The bad client video can be demoted for better effort QoS or subject to denial.

Media Stream - Multicast Direct Parameters

Multicast Direct Enable Multicast direct that you can enable or disable for this radio. The default is enable.

Maximum Streams per Radio Maximum number of allowed multicast direct streams per radio. The range is from 0 to 20 or you can choose auto. The default is auto.

When the value is auto, the controller decides the value based on the radio parameters.

Best Effort QoS Admission Parameter that you can enable or disable to have the controller admit the media stream in the best radio queue for this radio. The default is disable.




Chapter 5 Wireless Tab 802.11h Global Parameters

After you configure the EDCA parameter, re-enable the radio network. To re-enable the radio network, go to the 802.11a/n/ac Global Parameters page, select the 802.11a Network Status check box, and click Apply.

This table describes the EDCA general parameters.


802.11h Global ParametersChoose WIRELESS > 802.11a/n/ac > DFS (802.11h) to navigate to the 802.11h Global Parameters page. This page enables you to set 802.11h parameters.

Caution Disable the 802.11a/n/ac network before you configure the 802.11h network.

When DFS is enabled, it detects the presence of other devices that use the same radio channel and switches the WLAN operation to another channel if necessary.

This table describes the 802.11h parameters.

Table 5-118 EDCA General Parameters


EDCA Profile Options from the EDCA Profile drop-down box that you can choose:

• WMM — (Default) Enables the Wi-Fi Multimedia (WMM) default parameters. Choose this option when voice or video services are not deployed on your network.

• Spectralink Voice Priority—Enables Spectralink voice priority parameters. Choose this option if Spectralink phones are deployed on your network to improve the quality of calls.

• Voice Optimized—Enables EDCA voice-optimized profile parameters. Choose this option when voice services other than Spectralink are deployed on your network.

• Voice & Video Optimized—Enables EDCA voice- and video-optimized profile parameters. Choose this option when both voice and video services are deployed on your network.

Note If you deploy video services, admission control (ACM) must be disabled from the 802.11a/n/ac Video Parameters page.

Enable Low Latency MAC MAC optimization for voice that you can choose.

This feature enhances voice performance by controlling packet retransmits and aging out voice packets on lightweight access points, improving the number of voice calls serviced for each access point.


Chapter 5 Wireless Tab 802.11n/ac (5 GHz) Very High Throughput


802.11n/ac (5 GHz) Very High ThroughputChoose WIRELESS > 802.11a/n/ac > High Throughput (802.11n/ac) to navigate to the 802.11n/ac (5 GHz) Throughput page.

This page enables you to configure 802.11n and 802.11ac support on the network and to enable or disable support of the different modulation coding scheme (MCS) settings. The MCS settings determine the number of spatial streams, modulation, coding rate, and data rate values.

General Parameters

Disabling the 802.11n/ac mode is applicable only to access radios. Backhaul radios always have the 802.11n/ac mode enabled if they are 802.11n capable.

This table describes the 802.11a/n/ac parameters.

Table 5-119 802.11h Parameters


Local Power Constraint Local power constraint (in dBm) that you can specify. This parameter is displayed when Power Constraint is enabled. The range is from 0 to 30 dBm.

Channel Announcement Channel announcement method in which the access point announces when it is switching to a new channel and the new channel number.

Channel Quite Mode Channel quite mode that you can enable or disable. This parameter is displayed when Channel Announcement is enabled. The default is unselected.



11n Mode The 802.11n mode that you can enable or disable on the network. The default is enabled.

Note If you want to disable 802.11n when both 802.11n and 802.11ac are enabled, you must disable 802.11ac first.

11ac Mode The 802.11ac mode that you can enable or disable on the network. The default is enabled.

Note You can modify the 802.11ac status only if 802.11n is enabled.

HT MCS Index Setting for a specific High Throughput (HT) Modulation and Coding Scheme (MCS) index value that you can enable or disable (0 through 23). Data rates are determined according to the MCS index. By default, all are selected.


Chapter 5 Wireless Tab 802.11a/n/ac CleanAir


802.11a/n/ac CleanAirTo configure the Cisco CleanAir functionality on the 802.11a/n/ac network using the controller GUI, follow these steps:

Step 1 Choose Wireless > 802.11a/n/ac > CleanAir to navigate to the 802.11a/n/ac > CleanAir page.


Step 2 Select the CleanAir check box to enable the CleanAir functionality on the 802.11a/n/ac network, or unselect the check box to prevent the controller from detecting spectrum interference. The default is disabled.

Step 3 Select the Report Interferers check box to enable the CleanAir system to report any detected sources of interference, or unselect it to prevent the controller from reporting interferers. The default is enabled.

Note Device Security alarms, Event Driven RRM, and Persistence Device Avoidance algorithm will not work if Report Interferers is disabled.

Step 4 Select the Persistent Device Propagation check box to enable propagation of information about persistent devices that can be detected by CleanAir. Persistent device propagation enables designating information about interference types and propagating this information to the neighboring access points associated with the same controller. Persistent interferers are present at the location and interfere with the WLAN operations even if they are not detectable at all times.

SS Signals transmitted by the various antennae are multiplexed by using different spaces within the same spectral channel. These spaces are known as spatial streams.

Three spatial streams are available within which you can enable or disable an MCS data rate.

VHT MCS Index (Data Rate) Setting for a specific Very High Throughput (VHT) MCS that you can enable or disable (0 through 9). By default, all are selected.

MCS index 8 and 9 are specific to 802.11ac. Enabling MCS data rate with index 9 automatically enables data rate with MCS index 8. You can enable or disable MCS index 8 only when MCS index 9 is disabled.




Chapter 5 Wireless Tab 802.11a/n/ac CleanAir

Step 5 Make sure that any sources of interference that need to be detected and reported by the CleanAir system appear in the Interferences to Detect multiple select text box and any that do not need to be detected appear in the Interferences to Ignore multiple select text box. Use the > and < buttons to move interference sources between these two boxes. By default, all interference sources are detected. The possible sources of interference include the following:

• Canopy—A canopy bridge device

• Continuous Transmitter—A continuous transmitter

• DECT-like Phone—A digital enhanced cordless communication (DECT)-compatible phone

• Jammer—A jamming device

• SuperAG—An 802.11 SuperAG device

• TDD Transmitter—A time division duplex (TDD) transmitter

• Video Camera—A video camera

• WiFi Invalid Channel—A device using nonstandard Wi-Fi channels

• WiFi Inverted Channel—A device using spectrally inverted Wi-Fi signals

• WiMAX Fixed—A WiMAX fixed device (802.11a/n/ac only)

• WiMAX Mobile—A WiMAX mobile device (802.11a/n/ac only)

Note Access points associated to the controller send interference reports only for the type of interferer devices that appear in the Interferences to Detect text box. This functionality enables you to filter out a source of interference that you do not want as well as any that may be flooding the network and causing performance problems for the controller or Cisco PI. Filtering allows the system to resume normal performance levels.

Step 6 Configure CleanAir alarms as follows:

• Select the Enable AQI (Air Quality Index) Trap check box to enable the triggering of air quality alarms, or unselected the check box to disable this feature. The default value is selected.

• If you selected the Enable AQI Trap check box, enter a value between 1 and 100 (inclusive) in the AQI Alarm Threshold text box to specify the threshold at which you want the air quality alarm to be triggered. When the air quality falls below the threshold level, the alarm is triggered. A value of 1 represents the worst air quality, and 100 represents the best. The default is 35.

• Enter the AQI Alarm Threshold (1 to 100) that you want to set. An alarm is generated when the air quality falls below the configured threshold value. The default is 35. The range is from 1 to 100.

• Select the Enable trap for Unclassified Interferences check box to enable the traps to be generated for unclassified interferences. Cisco CleanAir can detect and monitor unclassified interferences. Unclassified interferences are interferences that are detected but do not correspond to any of the known interference types.

• Enter the Threshold for Unclassified category trap (1 to 99). Enter a value between 1 and 99. The default is 20. This is the severity index threshold for an unclassified interference category.

• Select the Enable Interference For Security Alarm check box to trigger interferer alarms when the controller detects specified device types, or unselect the check box to it to disable this feature. The default value is selected.


Chapter 5 Wireless Tab 802.11b/g/n Global Parameters

• Make sure that any sources of interference that need to trigger interferer alarms appear in the Trap on These Types multiple select text box and any that do not need to trigger interferer alarms appear in the Do Not Trap on These Types text box. Use the > and < buttons to move interference sources between these two boxes. By default, all interference sources trigger interferer alarms.

For example, if you want the controller to send an alarm when it detects a jamming device, select the Enable Interference Type Trap check box and move the jamming device to the Trap on These Types multiple select box.

Step 7 The Event Driven RRM section displays the current status or the event-driven radio resource management configured on this radio:

• EDRRM—Displays the current status of the spectrum event-driven RRM.

• Sensitivity Threshold—Displays the threshold level at which the event-driven RRM is invoked.

Note If you want to change the current status of event-driven RRM or the sensitivity level, click Change Settings. The 802.11a (or 802.11b) > RRM > Dynamic Channel Assignment (DCA) page appears.


802.11b/g/n Global ParametersChoose WIRELESS > 802.11b/g/n > Network to navigate to the 802.11b/g/n Global Parameters page.

This page enables you to edit the global parameters of your 802.11b/g/n network.

This table describes the 802.11 b/g/n global parameters.

Table 5-121 802.11 b/g/n Global Parameters

Parameter DescriptionGeneral Parameters

802.11b/g Network Status 802.11b/g/n network parameters that you can enable or disable. The default is enabled.

802.11g Support 802.11g network support. Only available if 802.11b/g network is enabled. The default is enabled.

Note You must use these commands to enable the 802.11b/g networks after configuring other 802.11b/g parameters. This command only enables the global Cisco WLAN Solution 802.11b/g networks. To disable the 802.11a, 802.11b and/or 802.11g networks for an individual WLAN, see the Editing WLANs page.

Beacon Period (millisecs) Rate at which the SSID is broadcast by the access point, from 100 to 600 milliseconds. The default is 100 milliseconds.



Short Preamble Short preamble that you can enable or disable. This parameter must be disabled to optimize this Cisco WLC for some clients, including SpectraLink NetLink Telephones. The default is enabled.

Fragmentation Threshold (bytes) Fragmentation threshold (in bytes) that you can set in the range 256 to 2346 bytes. The default is 2346.

DTPC Support DTPC support that you can enable or disable to advertise the transmit power level of the radio in the beacons and the probe responses. The default is unselected.

Maximum Allowed Clients Maximum clients allowed per radio. The range is from 1 to 200.

CCX Location Measurement Mode that enables CAPWAP access points to issue broadcast Radio Measurement Request messages to Cisco Compatible Extensions (V2 and higher) clients. This Measurement Request message is repeated periodically for every SSID over each enabled radio interface based on the specified interval. The response from the client is used to improve accuracy in location measurement.

• Mode—Option that you enable if you want CAPWAP access points to issue broadcast Radio Measurement Request messages to Cisco Compatible Extensions (V2 and higher) clients. This Measurement Request message is repeated periodically for every SSID over each enabled radio interface based on the specified interval. The response from the client is used to improve accuracy in the location measurement. The default is unselected.

• Interval (seconds)—Specifies the interval of the broadcast Radio Measurement Request messages.

• Data Rates—The data rates set here are negotiated between the client and the Cisco WLC. If the data rate is set to Mandatory, the client must support it in order to use the network. If a data rate is set as Supported by the Cisco WLC, the client may negotiate for the respective rate. Each data rate can also be set to Disabled to match client settings.

Table 5-121 802.11 b/g/n Global Parameters





802.11b/g/n RF GroupingChoose WIRELESS > 802.11b/g/n > RRM > RF Grouping to navigate to the 802.11b > RRM > RF Grouping page.

This page enables you to configure RF grouping characteristics.

This table describes the RF grouping algorithm parameters.



Group Mode RF grouping that can be configured in any of these modes:

• leader

Note IPv6 is supported for RF grouping in static-leader mode.

• auto

Note IPv6 is not supported for RF grouping in auto mode. It supports only IPv4.

• off. When the group mode is off, no RF grouping occurs.

When a Cisco WLC reboots, it starts by being a standalone leader to itself. In auto mode, the Cisco WLCs form an RF group and elect an auto leader (group mode is auto mode) if the neighboring APs are in the same RF domain.

In static mode, the user can configure the static leader by selecting the leader from the group mode drop-down list. The members’ management IP addresses and system name are used to request the member to join the static-leader.

Note A static leader is not allowed to become a member of another Cisco WLC until its mode is auto.

Note A Cisco WLC with a lower priority cannot assume the role of a group leader if a Cisco WLC with a higher priority is available in the RF group.

Click Restart to restart the RRM RF grouping.

Group Role Current role of the Cisco WLC.

Group Update Interval Interval (in seconds) that represent the period with which the grouping algorithm is run by the group leader. The grouping algorithm also runs when the group contents changes and the automatic grouping is enabled. A dynamic grouping can be started upon request from the system administrator. This value is set at 600 seconds.



This table describes the RF group member parameters.

You can add a Cisco WLC as a static group member by specifying the Cisco WLC name and the management IP address. Click Add to add the Cisco WLC as an RF group member.

When adding RF group members, the leader can allow the number of group members based on the following criteria:

• Maximum number of APs supported: The maximum limit for the number of access points in an RF group is 1000 or twice the maximum number APs licensed on the Cisco WLC.

• Twenty Cisco WLCs: Only 20 Cisco WLCs (including the leader) can be part of an RF group if the sum of the access points of all Cisco WLCs combined is less than or equal to the upper access point limit.

Note If a Cisco WLC cannot be added as a static RF group member, the reason is indicated in parentheses.


Group Leader Name and IPv4/IPv6 address of the group leader for the group that contains the Cisco WLC.

The RF Group Leader can be configured in two ways, as follows:

• Auto Mode—In this mode, the members of an RF group elect an RF group leader to maintain a “master” power and channel scheme for the group. The RF grouping algorithm dynamically chooses the RF group leader and ensures that an RF group leader is always present. Group leader assignments can and do change (for instance, if the current RF group leader becomes inoperable or if RF group members experience major changes).

• Static Mode—In this mode, the user selects a Cisco WLC as an RF Group leader manually. In this mode, the leader and the members are manually configured and are therefore fixed. If the members are unable to join the RF Group, the reason is indicated. The leader tries to establish a connection with a member every 1 (one) minute if the member has not joined in the previous attempt.

Last Group Update Elapsed time since the last group update in seconds. This parameter is only valid if this Cisco WLC is a group leader.



Table 5-123 RF Group Member Parameters


Controller Name controller on which the RF group is created.

IP Address (IPv4/IPv6) IPv4/IPv6 address of the Cisco WLC that belong to a RF group.

Note IPv6 is supported only for leader type (static-leader) of RF grouping.



802.11b Tx Power Control Choose WIRELESS > 802.11b/g/n > RRM > TPC to navigate to the 802.11b > RRM > Tx Power Control page.

This page enables you to edit the transmit power control (TPC) parameters.


The TPC algorithm balances RF power in many diverse RF environments. Automatic power control may not be able to resolve some scenarios in which an adequate RF design was not possible to implement due to architectural restrictions or site restrictions—for example, when all access points must be mounted in a central hallway, placing the access points close together, but requiring coverage out to the edge of the building.

In these scenarios, you can configure maximum and minimum transmit power limits to override TPC recommendations. The maximum and minimum TPC power settings only apply to access points that are attached to a controller from which they are configured. The default settings disable this feature, and you should use care when overriding TPC recommendations.

To set the Maximum Power Level Assignment and Minimum Power Level Assignment text boxes, enter the maximum and minimum transmit power used by RRM on the Tx Power Control page. The range for these parameters is –10 to 30 dBm. The minimum value cannot be greater than the maximum value; the maximum value cannot be less than the minimum value.




TPC Version Transmit Power Control version to be chosen from the following options:

• Interference Optimal Mode (TPCv2)—For scenarios where voice calls are extensively used. Transmit power is dynamically adjusted with the goal of minimum interference. It is suitable for dense networks. In this mode, there could be frequent roaming delays and coverage hole incidents.

• Coverage Optimal Mode (TPCv1)—(Default) Offers strong signal coverage and stability. In this mode, power can be kept low to gain extra capacity and reduce interference.

Power Level Assignment Method

Dynamic transmit power assignment has three modes:

• Automatic—(Default) The transmit power is periodically updated for all access points that permit this operation.

• On Demand—The transmit power is updated when Invoke Power Update Now is clicked.

• Fixed—No dynamic transmit power assignments occur and values are set to their global default.




Maximum Power Level Assignment (-10 to 30 dBm)

Maximum power level assignment on this radio.

Note If you configure a maximum transmit power, RRM does not allow any access point attached to the controller to exceed this transmit power level (whether the power is set by RRM TPC or by coverage hole detection). For example, if you configure a maximum transmit power of 11 dBm, then no access point would transmit above 11 dBm, unless the access point is configured manually.

The range is –10 to 30 dBm.

The default is 30.

Minimum Power Level Assignment (–10 to 30 dBm)

Minimum power level assignment on this radio.

The range is –10 to 30 dBm.


Power Assignment Leader Name and IP address of the power level assignment leader.

Last Power Level Assignment Elapsed time since the last transmit power assignment in seconds.

Power Threshold Cutoff signal level used by RRM when determining whether to reduce an access point’s power.

The default value for this parameter varies depending on the TPC version you choose. For TPCv1, the default value is –70 dBm, and for TPCv2, the default value is –67 dBm. The default value can be changed when access points are transmitting at higher (or lower) than desired power levels. The range for this parameter is –80 to –50 dBm.

Increasing this value (between –65 and –50 dBm) causes the access points to operate at higher transmit power rates. Decreasing the value has the opposite effect.

Note In applications with a dense population of access points, it may be useful to decrease the threshold to –80 or –75 dBm in order to reduce the number of BSSIDs (access points) and beacons seen by the wireless clients. Some wireless clients might have difficulty processing a large number of BSSIDs or a high beacon rate and might exhibit problematic behavior with the default threshold.

Power Neighbor Count Minimum number of neighbors that an access point must have for the transmit power control algorithm to run.





802.11b Dynamic Channel AssignmentChoose WIRELESS > 802.11b/g/n > RRM > DCA to navigate to the 802.11b > RRM > Dynamic Channel Assignment page.

This page enables you to specify the channels that the Dynamic Channel Assignment (DCA) algorithm considers when selecting the channels to be used for RRM scanning.

This functionality is helpful when you know that the clients do not support certain channels because they are legacy devices or they have certain regulatory restrictions.

Dynamic Channel Assignment Algorithm

This table describes the DCA algorithm parameters.





Channel Assignment Method Dynamic channel assignment has three modes:

• Automatic—Mode that periodically updates for all access point that permit this operation.

– Interval—How often the DCA algorithm has been configured to run.

Note If your controller supports only OfficeExtend access points, we recommend that you set the DCA interval to 6 hours for optimal performance. For deployments with a combination of OfficeExtend access points and local access points, the range of 10 minutes to 24 hours can be used.

– Anchor Time—The time of day when the DCA algorithm has been configured to start. The range is from 0 to 23 (12:00 a.m. to 11:00 p.m).

• Freeze—Mode that causes the controller to update channel assignments when you click Invoke Channel Update Now.

• OFF—Mode that turns off DCA and sets all access point radios to the first channel of the band, which is the default value. If you choose this option, you must manually assign channels on all radios.

The default is Automatic.

Avoid Foreign AP Interference Radio Resource Management (RRM) Foreign 802.11 interference-monitoring parameters that you can enable to have Radio Resource Management consider interference from foreign (non-Cisco access point outside the RF/mobility domain) access points when assigning channels to Cisco access points. You can disable this parameter to have Radio Resource Management ignore this interference. The default is unselected.

In certain circumstances with significant interference energy (dBm) and load (utilization) from Foreign APs, Radio Resource Management may adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the Foreign APs to increase capacity and reduce variability.

Avoid Cisco AP Load Radio Resource Management (RRM) Bandwidth-sensing parameter that you can enable controllers to consider the traffic bandwidth used by each access point when assigning channels to access point. You can disable this parameter to have Radio Resource Management ignore this value. The default is unselected.

In certain circumstances and with denser deployments, there may not be enough channels to properly create perfect channel reuse. In these circumstances, Radio Resource Management can assign better reuse patterns to those access points that carry more traffic load.



DCA Channel List

This table describes the DCA channel list parameters.

Avoid non-802.11a Noise Radio Resource Management (RRM) Noise-monitoring parameter that you can enable to have access points avoid channels that have interference from non-Access Point sources, such as microwave ovens or Bluetooth devices. Disable this parameter to have Radio Resource Management ignore this interference.

In circumstances with significant interference energy (dBm) from non-802.11 noise sources, Radio Resource Management may adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the noise sources to increase capacity and reduce variability.

Avoid Persistent Non-WiFi Interference

DCA parameter that you can enable to allow the controller to ignore persistent non-WiFi interference.

Channel Assignment Leader Name and IP address of the channel assignment leader. Cisco WLAN Solution, mobility groups Cisco WLAN Solution WPS groups. This is the MAC address of the group leader.

Last Auto Channel Assignment Last time the Radio Resource Management (RRM) evaluated the current channel assignment on a periodic basis. This parameter does not imply that channels have changed, only that the Radio Resource Management has made an evaluation of the current assignment.

DCA Channel Sensitivity Configured DCA sensitivity setting.

This setting determines how sensitive the DCA algorithm is to environmental changes, such as signal, load, noise, and interference, when determining whether to change channels. The available values are as follows:

• Low—The DCA algorithm is not particularly sensitive to environmental changes.

• Medium—The DCA algorithm is moderately sensitive to environmental changes.

• High—The DCA algorithm is highly sensitive to environmental changes.

The default value is Medium. The DCA sensitivity thresholds vary by radio band.

Note To see why the DCA algorithm changed channels, click Monitor and then View All under Most Recent Traps. The trap provides the MAC address of the radio that changed channels, the previous channel and the new channel, the reason why the change occurred, the energy before and after the change, the noise before and after the change, and the interference before and after the change.





Event Driven RRM

This table describes the event driven RRM parameters.


Table 5-126 DCA Channel List Parameters


DCA Channels Channels that are currently selected.

Select/Channel Select or exclude a channel.

Channels are as follows:1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11

The default channels are as follows: 1, 6, 11

Table 5-127 Event Driven RRM Parameters


EDRRM Radio Resource Management (RRM) that you can enable or disable to run when a CleanAir enabled access point detects a significant level of interference. The default is unselected.

If enabled, set the sensitivity threshold level (below) at which the RRM is invoked.

Sensitivity Threshold Configured sensitivity threshold setting at which the RRM is invoked.

The available values are Low, Medium, High, or Custom. When the interference for the access point rises and the corresponding AQ index falls below the threshold level, RRM initiates a local channel assignment and changes the channel of the affected access point radio if possible to improve network performance. Low represents a decreased sensitivity to changes in the environment while High represents an increased sensitivity. If you selected the EDRRM sensitivity threshold as custom, you must set a threshold value in the Custom Sensitivity Threshold field. The default sensitivity is 35. The EDRRM AQ threshold value for low sensitivity is 35, medium sensitivity is 50, and high sensitivity is 60.

The default value is Medium.

Rogue Contribution Check box to configure the Rogue Duty Cycle

Rogue Duty-Cycle Proportion of time (in percentage) during which the interfering device was active. Valid range is 1% to 99%.



802.11b Coverage Hole DetectionChoose WIRELESS > 802.11b/g/n > RRM > Coverage to navigate to the 802.11b > RRM > Coverage page.

This page enables you to configure coverage-hole detection or to specify the RSSI parameters.

This table describes the RRM coverage parameters.


Table 5-128 RRM Coverage Parameters


General

Enable Coverage Hole Detection

Coverage Hole Detection (CHD) that you can enable or disable.

Coverage Threshold

Data RSSI (-60 to -90 dBm) Minimum receive signal strength indication (RSSI) value for data packets received by the access point. The value that you enter is used to identify coverage holes (or areas of poor coverage) within your network. The range is from –60 to –90 dBm. The default value is –80 dBm.

If the access point receives a packet in the data queue with an RSSI value below the value that you enter, it indicates that a potential coverage hole has been detected. The access point takes data RSSI measurements every 5 seconds and reports them to the controller in 90-second intervals.

Voice RSSI (-60 to -90 dBm) Minimum receive signal strength indication (RSSI) value for voice packets received by the access point. The value that you enter is used to identify coverage holes within your network. The range is from –60 to –90 dBm. The default value is –75 dBm.

If the access point receives a packet in the voice queue with an RSSI value below the value that you enter, it indicates that a potential coverage hole has been detected. The access point takes voice RSSI measurements every 5 seconds and reports them to the controller in 90-second intervals.

Min Failed Client Count per AP (1 to 75)

Minimum number of clients on an access point with a signal-to-noise ratio (SNR) below the coverage threshold.

The default value is 3.

Coverage exception level per AP (0 to 100%)

Maximum desired percentage of clients on an access point’s radio operating below the desired coverage threshold.




802.11b RRMChoose WIRELESS > 802.11b/g/n > RRM > General to navigate to the 802.11b > RRM > General page.

This page enables you to specify general radio resource management (RRM) parameters.

Note The radios for the Cisco OEAP 600 Series access points are controlled through the local GUI on the Cisco OEAP 600 Series access points and not through the controller. It is not possible to control the spectrum channel, power, or disable the radios through the controller because it does not have any effect on the Cisco OEAP 600 Series access points. Therefore, RRM is not supported on the Cisco OEAP 600 Series access points.

This table describes the profile threshold parameters.

Noise/Interference/Rogue Monitoring Channels

This table describes the Noise/Interference/Rogue monitoring channels parameters.

Table 5-129 Profile Threshold Parameters


Interference (0 to 100%) Foreign 802.11b/g interference threshold between 0 and 100 percent. The default value is 10.

Clients (1 to 75) Client threshold between 1 and 75 clients. The default value is 12.

Noise (-127 to 0 dBm) Foreign noise threshold between –127 and 0 dBm. The default value is –70.

Utilization (0 to 100%) 802.11b/g RF utilization threshold between 0 and 100 percent. The default value is 80.

Table 5-130 Noise/Interference/Rogue Monitoring Channels Parameters


Channel List Country Channels drop-down box that you can choose one of the following:

• All Channels—RRM channel scanning occurs on all channels supported by the selected radio, which includes channels not allowed in the country of operation.

• Country Channels (default)—RRM channel scanning occurs only on the data channels in the country of operation.

• DCA Channels—RRM channel scanning occurs only on the channel set used by the dynamic channel assignment (DCA) algorithm, which by default includes all of the nonoverlapping channels allowed in the country of operation. However, you can use the 802.11a/n/ac Dynamic Channel Assignment page to specify the channel set to be used by DCA.



Monitor Intervals

This table describes the monitor interval parameters.

Click Set to Factory Default to set all Auto RF 802.11b/g parameters to the factory defaults.


802.11b/g Client RoamingChoose WIRELESS > 802.11b/g > Client Roaming to navigate to the 802.11b > Client Roaming page. Seamless client roaming within subnets across access points and virtual LANs (VLANs) is supported under Layer 2 security, and between subnets under Layer 3 security.

CCX-capable clients after association receive a list of neighboring APs, which is used by the clients for selecting the appropriate APs while roaming. This improves the roaming time. The values for RSSI and Hysteresis are used for fine tuning the roaming behavior and Neighbor list.

This table describes the 802.11b/g client roaming parameters.

Table 5-131 Monitor Interval Parameters


Channel Scan Interval Interval (in seconds) at which the channel scanning occurs.


Note If your controller supports only OfficeExtend access points, We recommend that you set the channel scan duration to 1800 seconds for optimal performance. For deployments with a combination of OfficeExtend access points and local access points, the range of 60 to 3600 seconds can be used.

Neighbor Packet Frequency Interval (in seconds) for how frequently the access point measures signal strength and how frequently neighbor packets (messages) are sent, which eventually builds the neighbor list.


Note If your controller supports only OfficeExtend access points, We recommend that you set the neighbor packet frequency to 600 seconds for optimal performance. For deployments with a combination of OfficeExtend access points and local access points, the range of 60 to 3600 seconds can be used.

Note The valid interval range is from 60 to 3600 seconds.

Table 5-132 802.11b/g Client Roaming Parameters


Mode Drop-down box: Default or Custom.

Note The following fields can be changed when you select Custom mode.




802.11b/g Voice ParametersChoose WIRELESS > 802.11b/g > Media to navigate to the 802.11b (2.4 GHz) > Media pageand click on the Voice tab.

This page enables you to set the voice quality parameters over the 802.11 b/g link.

Minimum RSSI Actual value in dBm (the valid range is from –80 to –90; the default value is –85).

This parameter indicates the minimum received signal strength indicator (RSSI) required for the client to associate to an access point. If the client’s average received signal power dips below this threshold, reliable communication is usually impossible. Therefore, clients must already have found and roamed to another access point with a stronger signal before the minimum RSSI value is reached.

Hysteresis Actual value in dB (the valid range is from 2 to 4; the default value is 2).

This parameter indicates how strong the signal strength of a neighboring access point must be in order for the client to roam to it. This parameter is intended to reduce the amount of roaming between access points if the client is physically located on or near the border between two access points.

Scan Threshold Actual value in dBm (the valid range is from –70 to –77; the default value is –72).

This parameter indicates the RSSI value, from a client’s associated access point, below which the client must be able to roam to a neighboring access point within the specified transition time. This parameter also provides a power-save method to minimize the time that the client spends in active or passive scanning. For example, the client can scan slowly when the RSSI is above the threshold and scan more rapidly when below the threshold.

Transition Time Actual value in seconds (the valid range is from 1 to 10; the default value is 5).

Note For high-speed client roaming applications in outdoor mesh environments, a setting of 1 second is recommended.

This parameter indicates the maximum time allowed for the client to detect a suitable neighboring access point to roam to and to complete the roam, whenever the RSSI from the client’s associated access point is below the scan threshold.

Table 5-132 802.11b/g Client Roaming Parameters




Note Disable all WMM-enabled WLANs prior to changing voice parameters. Reenable the WMM-enabled WLANs after you have applied the voice settings.

CAC Parameters

This table describes the 802.11b/g CAC parameters.

Note SIPs are available only on the Cisco 4400 Series Controllers and the Cisco 5500 Series Controllers and on for the following access points: 1240, 1130, and 11n.

Table 5-133 802.11b/g CAC Parameters


Admission Control (ACM) Voice CAC for this radio band that you can enable or disable. The default value is disabled.

For more information, see the “Call Admission Control” topic.

Load-based CAC Load-based CAC that you can enable or disable. Load-based AC is disabled by default.

For more information, see the “Load-Based CAC” topic.

Max RF Bandwidth (%) Percentage of the maximum bandwidth allocated to clients for voice applications on this radio band. Once the client reaches the value specified, the access point rejects new calls on this radio band.


Reserved Roaming Bandwidth (%) Percentage of maximum allocated bandwidth reserved for roaming voice clients. The controller reserves this much bandwidth from the maximum allocated bandwidth for roaming voice clients.


Expedited Bandwidth Enables CCXv5 clients to indicate the urgency of a WMM traffic specifications (TSPEC) request (for example, an e911 call) to the WLAN. This setting is enabled by default.

For more information, see the “Expedited Bandwidth Request” topic.

SIP Codec Codec name that you want to use on this radio. The available options are G.711, G.729, and User Defined.

SIP Bandwidth (kbps) Bandwidth in kilobits per second you want to assign per SIP call on the network. This parameter can be configured only when the SIP Codec selected is User Defined.

SIP Voice Sample Interval (msecs) Sample interval in milliseconds that the codec must operate.



802.11 b/g TSM Parameters

This table describes the 802.11b/g TSM parameters.

Call Admission Control

Call admission control (CAC) enables an access point to maintain controlled quality of service (QoS) when the wireless LAN is experiencing congestion.

CAC enables the client to specify how much bandwidth or shared medium time would be required to accept a new call and in turn enables the access point to determine whether it is capable of accommodating this particular call. The access point rejects the call if necessary in order to maintain the maximum allowed number of calls with acceptable quality.

To use CAC with voice applications, do the following:

• Configure the WLAN for Platinum QoS

• Enable the Wi-Fi Multimedia (WMM) protocol for the WLAN

Note You must enable admission control (ACM) for CCXv4 clients that have WMM enabled. Otherwise, CAC does not operate properly.

Unscheduled automatic power save delivery (U-APSD) is a QoS facility defined in IEEE 802.11e that extends the battery life of mobile clients. In addition to extending battery life, this feature reduces the latency of traffic flow delivered over the wireless media. Because U-APSD does not require the client to poll each individual packet buffered at the access point, it allows delivery of multiple downlink packets by sending a single uplink trigger packet. U-APSD is enabled automatically when WMM is enabled.

Load-Based CAC

Load-based CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types from itself, from co-channel access points, and by co-located channel interference. Load-based CAC also covers the additional bandwidth consumption resulting from PHY and channel impairment.

In load-based CAC, the access point periodically measures and updates the utilization of the RF channel, channel interference, and the additional calls that the access point can admit. The access point admits a new call only if the channel has enough unused bandwidth to support that call. By doing so, load-based CAC prevents over-subscription of the channel and maintains QoS under all conditions of WLAN loading and interference.

Table 5-134 802.11b/g TSM Parameters


Metrics collection TSM collection that you can enable or disable. The default is unselected.

For more information, see the “Traffic Stream Metrics (TSM)” topic.



Expedited Bandwidth Request

The expedited bandwidth request feature enables CCXv5 clients to indicate the urgency of a WMM traffic specifications (TSPEC) request (for example, an e911 call) to the WLAN. When the controller receives this request, the controller attempts to facilitate the urgency of the call in any way possible without potentially altering the quality of other TSPEC calls that are in progress.

You can apply expedited bandwidth requests to both static and load-based CAC.

Expedited bandwidth requests are enabled by default. If you configured the WLAN in such a way that it does not support CCX V5 or if you disabled expedited bandwidth requests, the controller ignores all expedited requests and processes TSPEC requests as normal TSPEC requests.

See the following table for examples of TSPEC request handling for normal TSPEC requests and expedited bandwidth requests.

This table describes the expedited bandwidth request parameters.

Traffic Stream Metrics (TSM)

In a voice-over-wireless LAN (VoWLAN) deployment, four variables can affect audio quality: packet latency, packet jitter, packet loss, and roaming time. These variables are referred to as TSM. An administrator can isolate poor voice quality issues by studying these variables.

You can configure TSM on a per radio-band basis (for example, all 802.11a radios). The controller saves the configuration in flash memory so that it persists across reboots. After an access point receives the configuration from the controller, it enables TSM on the specified radio band.

Note Access points support TSM in both local and FlexConnect modes.

Table 5-135 Expedited Bandwidth Request Parameters

CAC Mode

Reserved bandwidth for voice calls1

1. For the static (bandwidth-based) CAC, the voice call bandwidth usage is per access point and does not take into account co-channel access points. For load-based CAC, the voice call bandwidth usage is measured for the entire channel.

Usage2

2. Static CAC (consumed voice and video bandwidth) or load-based CAC (channel utilization [Pb]).

Normal TSPEC Request

TSPEC with Expedited Bandwidth Request

Static CAC 75% (default setting)



Rejected Admitted


Load-based CAC



Rejected Admitted





802.11b/g/n Video ParametersChoose WIRELESS > 802.11b/g/n > Media to navigate to the 802.11b(2.4 GHz) > Media page and click on the Video tab.

This page enables you to set the parameters to adjust video quality over an 802.11b/g/n link.

Note Disable all WMM-enabled WLANs prior to changing video parameters. Reenable the WMM-enabled WLANs after you have applied the video settings.

This table describes the 802.11b/g video parameters.


802.11b/g Media ParametersChoose WIRELESS > 802.11b/g/n > Media to navigate to the 802.11b(2.4 GHz) > Media page and click on the Media tab.

This page enables you to set the video quality parameters over an 802.11b/g/n link.

This table describes the 802.11 b/g/n general media parameters.

Table 5-136 802.11b/g Video Parameters


Admission Control (ACM) Video CAC for this radio band that you can enable or disable. The default is unselected.

Max RF Bandwidth (%) Percentage of the maximum bandwidth allocated to clients for video applications on this radio band. Once the client reaches the value specified, the access point rejects new requests on this radio band.

The valid range is from 0 to 100%; however, the maximum RF bandwidth cannot exceed 100% for voice + video. The default value is 0%.

Reserved Roaming Bandwidth (%)

Percentage of maximum allocated bandwidth reserved for roaming video clients. The controller reserves this much bandwidth from the maximum allocated bandwidth for roaming video clients.

The valid range is from 0 to 25%. The default value is 0%.

Table 5-137 802.11 b/g/n General Media Parameters


Unicast Video Redirect Enables unicast video redirect. The default value is enabled.


Chapter 5 Wireless Tab 802.11b/g EDCA Parameters

This table describes the multicast direct admission control parameters.

802.11b/g EDCA ParametersChoose WIRELESS > 802.11b/g/n > EDCA Parameters to navigate to the EDCA Parameters page.

This page enables you to configure enhanced distributed channel access (EDCA) parameters. EDCA parameters are designed to provide preferential wireless channel access for voice, video, and other quality-of-service (QoS) traffic.

Table 5-138 Multicast Direct Admission Control Parameters


Maximum Media Bandwidth (0 - 85%) Percentage of maximum bandwidth allocated to clients for media applications on this radio band. Once the client reaches the value specified, the access point rejects new calls on this radio band.

The default value is 85%; valid values are from 0 –85%.

Client Phy rate Minimum transmission data rate to the client. If the transmission data rate is below the phy rate, either the video will not start or the client may be classified as a bad client. The bad client video can be demoted for better effort QoS or subject to denial.

Maximum Retry Percent Percentage of the maximum retries that are allowed. The default value is 80. If it exceeds 80, either the video will not start or the client may be classified as a bad client. The bad client video can be demoted for better effort QoS or subject to denial.



Multicast Direct Enable Multicast direct for this radio. This parameter is enabled by default.

Max Streams per Radio Maximum number of streams allowed per radio. The range is 0 to 20. The default value is set to auto. If you choose auto, then there is no limit set for the number of client subscriptions.

Max Streams per Client Maximum number of streams allowed per client. The range is 0 to 20. The default value is set to auto. If you choose auto, then there is no limit set for the number of client subscription.

Best Effort QoS Admission If enabled, the controller admits the media stream in the best radio queue for this radio. The default is disabled.


Chapter 5 Wireless Tab 802.11n (2.4 GHz) High Throughput

Note You must disable the radio network before configuring EDCA parameters. To disable the radio network, go to the 802.11b/g/n Global Parameters page, unselect the 802.11b/g Network Status check box, and click Apply.

After you configure the EDCA parameter, reenable the radio network. To reenable the radio network, go to the 802.11b/g/n Global Parameters page, check the 802.11b/g Network Status check box, and click Apply.

This table describes the EDCA general parameters.


802.11n (2.4 GHz) High ThroughputChoose WIRELESS > 802.11b/g/n > High Throughput (802.11n) to navigate to the High Throughput page.

This page enables you to configure 802.11n support on the network and support of the different Modulation Coding Schemes (MCS) settings. The MCS index determines the number of spatial streams, the modulation, the coding rate, and data rate values.

Table 5-140 EDCA General Parameters


EDCA Profile Choose one of the following options from the EDCA Profile drop-down list:

• WMM—(Default) Enables the Wi-Fi Multimedia (WMM) default parameters. Choose this option when voice or video services are not deployed on your network.

• Spectralink Voice Priority—Enables Spectralink voice priority parameters. Choose this option if Spectralink phones are deployed on your network to improve the quality of calls.

• Voice Optimized—Enables EDCA voice-optimized profile parameters. Choose this option when voice services other than Spectralink are deployed on your network.

• Voice & Video Optimized—Enables EDCA voice- and video-optimized profile parameters. Choose this option when both voice and video services are deployed on your network.

Note If you deploy video services, admission control (ACM) must be disabled from the 802.11b/g/n Video Parameters page.

Enable Low Latency MAC MAC optimization for voice that you can enable or disable.

This feature enhances voice performance by controlling packet retransmits and appropriately aging out voice packets on lightweight access points, thereby improving the number of voice calls serviced per access point.


Chapter 5 Wireless Tab 802.11b CleanAir

This table describes the 802.11n (2.4 GHz) high throughput parameters.


802.11b CleanAirTo configure Cisco CleanAir functionality on the 802.11b/g/n network using the controller GUI, follow these steps:

Step 1 Choose Wireless > 802.11b/g/n > CleanAir to navigate to the 802.11b/g/n CleanAir page.


Step 2 Select the CleanAir check box to enable CleanAir functionality on the 802.11b/g/n network, or unselect it to prevent the controller from detecting spectrum interference. The default is enabled.

Step 3 Select the Report Interferers check box to enable the CleanAir system to report any detected sources of interference, or unselect it to prevent the controller from reporting interferers. The default is enabled.

Note Device Security alarms, Event Driven RRM, and Persistence Device Avoidance algorithm will not work if Report Interferers is disabled.

Step 4 Select the Persistent Device Propagation check box to enable propagation of information about persistent devices that can be detected by CleanAir. Persistent device propagation enables designating information about interference types and propagating this information to the neighboring access points associated with the same controller. Persistent interferers are present at the location and interfere with the WLAN operations even if they are not detectable at all times

Step 5 Make sure that any sources of interference that need to be detected and reported by the CleanAir system appear in the Interferences to Detect multiple select text box and any that do not need to be detected appear in the Interferences to Ignore multiple select text box. Use the > and < buttons to move interference sources between these two boxes. By default, all interference sources are detected. The possible sources of interference include the following:

• Canopy—A canopy bridge device

• Continuous Transmitter—A continuous transmitter

• DECT-like Phone—A digital enhanced cordless communication (DECT)-compatible phone

Table 5-141 802.11n (2.4 GHz) High Throughput Parameters


11n Mode 802.11n mode on the network that you can enable or disable. The default is enabled.

MCS (Data Rate) Settings (0 through 23) Support for a specific MCS that you can enable or disable. By default all MCS data rate settings are enabled.


Chapter 5 Wireless Tab 802.11b CleanAir

• Jammer—A jamming device

• SuperAG—An 802.11 SuperAG device

• TDD Transmitter—A time division duplex (TDD) transmitter

• Video Camera—A video camera

• WiFi Invalid Channel—A device using nonstandard Wi-Fi channels

• WiFi Inverted Channel—A device using spectrally inverted Wi-Fi signals

• WiMAX Fixed—A WiMAX fixed device (802.11a/n/ac only)

• WiMAX Mobile—A WiMAX mobile device (802.11a/n/ac only)

Note Access points associated to the controller send interference reports only for the type of interferer devices that appear in the Interferences to Detect text box. This functionality enables you to filter out source of interference that you do not want as well as any that may be flooding the network and causing performance problems for the controller or Cisco PI. Filtering allows the system to resume normal performance levels.

Step 6 Configure CleanAir alarms as follows:

a. Select the Enable AQI (Air Quality Index) Trap check box to enable the triggering of air quality alarms, or unselect the check box to disable this feature. The default value is selected.

b. If you selected the Enable AQI Trap check box in the step above, enter a value between 1 and 100 (inclusive) in the AQI Alarm Threshold text box to specify the threshold at which you want the air quality alarm to be triggered. When the air quality falls below the threshold level, the alarm is triggered. A value of 1 represents the worst air quality, and 100 represents the best. The default is 35.

• Enter the AQI Alarm Threshold (1 to 100) that you want to set. An alarm is generated when the air quality reaches a threshold value. The default is 35. The valid range is between 1 and 100.

• Select the Enable trap for Unclassified Interferences check box to enable the traps to be generated for unclassified interferences. Cisco CleanAir can detect and monitor unclassified interferences. Unclassified interferences are interferences that are detected but do not correspond to any of the known interference types.

• Enter the Threshold for Unclassified category trap (1 to 99). Enter a value between 1 and 99. The default is 20. This configuration enables traps to be sent at a set threshold.

c. Select the Enable Interference For Security Alarm check box to trigger interferer alarms when the controller detects specified device types, or unselect the check box to disable this feature. The default value is selected.

d. Make sure that any sources of interference that need to trigger interferer alarms appear in the Trap on These Types multiple select text box and any that do not need to trigger interferer alarms appear in the Do Not Trap on These Types text box. Use the > and < buttons to move interference sources between these two boxes. By default, all interference sources trigger interferer alarms.

For example, if you want the controller to send an alarm when it detects a jamming device, select the Enable Interference Type Trap check box and move the jamming device to the Trap on These Types multiple select box.

Step 7 The Event Driven RRM section displays the current status or the event-driven radio resource management configured on this radio:

• EDRRM—Displays the current status of the spectrum event-driven RRM.

• Sensitivity Threshold—Displays the threshold level at which the event-driven RRM is invoked.


Chapter 5 Wireless Tab Configuring Media Stream

Note If you want to change the current status of event-driven RRM or the sensitivity level, click Change Settings. The 802.11a (or 802.11b) > RRM > Dynamic Channel Assignment (DCA) page appears.


Configuring Media Stream Choose WIRELESS > Media Stream > General to navigate to the Media Stream > General page.

The IEEE 802.11 wireless multicast delivery mechanism does not provide a reliable way to acknowledge lost or corrupted packets. As a result, lost or corrupted packets are not sent and may cause an IP multicast stream to be not viewable.

This page allows you to enable or disable multicast direct support on the network. Additionally, you can also configure an acknowledgement mechanism in which an acknowledgment is sent to clients when the access point receives multicast frames.

This table describes the media stream general parameters.


Table 5-142 Media Stream General Parameters


Multicast Direct Feature Multicast direct that you can enable or disable. The default is enabled.

Note Enabling the Multicast feature does not automatically reset the existing client state. You must reset the multicast direct-enabled WLAN and 802.11 networks to clear clients.

Session Message Config

Session announcement State Session announcement mechanism to the client. If enabled, clients are informed every time the controller is not able to serve multicast-direct data to the client. The default is unselected.

Session announcement URL URL where the client can find more information when errors occur during multicast media stream transmission.

Session announcement Email E-mail ID of the person who can be contacted.

Session announcement Phone Phone number of the person who can be contacted.

Session announcement Note Reason as to why a particular client cannot be served with a multicast media.


Chapter 5 Wireless Tab Media Streams

Media StreamsChoose WIRELESS > Media Stream > Streams to navigate to the Media Streams page.

This page enables you to list all the multicast media streams configured on the controller.

This table describes the media stream parameters.

Click Add New to configure a new media stream. See the “Configuring a New Media Stream and Enabling the Media Stream” topic.

Click Delete All delete the multicast media streams.

Configuring a New Media Stream and Enabling the Media StreamTo configure a new media stream, follow these steps:

Step 1 Choose WIRELESS > Media Stream > Streams to navugate to the Media Streams page.

Step 2 Click Add New to configure a new media stream.

Step 3 Specify the following details for the new stream as follows:

Note The Stream Name, Multicast Destination Start IP Address, and Multicast Destination End IP Address text boxes are mandatory. You must enter information in these text boxes.

• Stream Name—Specifies a unique name to the stream. The stream name can be up to 64 characters.

• Multicast Destination Start IP Address—Specifies the starting IP address (IPv4 or IPv6) of the multicast media stream.

• Multicast Destination End IP Address—Specifies the ending IP address (IPv4 or IPv6) of the multicast media stream.

• Maximum Expected Bandwidth (1 to 35000 Kbps)—Specifies the maximum expected bandwidth that you want to assign to the media stream. The values can range between 1 to 35000 Kbps.

Note We recommend that you use a template to add a media stream to the controller.

Table 5-143 Media Stream Parameters


Stream Name Multicast media stream name.

Start IP Address Starting IP address (IPv4 or IPv6) of the media stream for which the multicast direct feature is enabled.

End IP Address Ending IP address (IPv4 or IPv6) of the media stream for which the multicast direct feature is enabled.

Operational Status Operational status of this media stream.


Chapter 5 Wireless Tab Media Streams

Step 4 From the Select from Predefined Templates drop-down list under Resource Reservation Control (RRC) Parameters, choose one of the following options to specify details about the resource reservation control:

• Very Coarse (below 300 Kbps)

• Coarse (below 500 Kbps)

• Ordinary (below 750 Kbps)

• Low (below 1 Mbps)

• Medium (below 3 Mbps)

• High (below 5 Mbps)

Note When you select a template from the drop-down list, the following text boxes under the Resource Reservation Control (RRC) Parameters list their default values that are assigned with the template.

• Average Packet Size (100–1500 bytes)—Specifies the average packet size. The range is 100 to 1500 bytes. The default value is 1200.

• RRC Periodic update—Enables the RRC Periodic update. The RRC Decision message is periodically sent to the access point to update the media stream status. This message is sent at the time of admission and re-RRC calculations. The default is enabled.

• RRC Priority (1–8)—Specifies the priority bit set in the media stream. The priority can be any number from 1 to 8. The larger the value means the higher the priority is. For example, a priority of 1 is the lowest value and a value of 8 is the highest value. The default priority is 4. The low priority stream may be denied in the RRC periodic update.

• Traffic Profile Violation—Specifies the action to perform in case of a violation after a re-RRC. Select an action from the drop-down list. The possible values are as follows:

– Drop—Specifies that a stream is dropped on periodic revaluation.

– Fallback—Specifies that a stream is demoted to best-effort class on periodic reevaluations.

The default is Drop.

Step 5 Click Apply to save the configuration changes.

Note To enable the media stream using the controller GUI, perform Step 5 to Step 8.

Note The media stream added needs to be enabled for multicast-direct.

Step 6 Choose WLANs > WLAN ID to open the WLANs > Edit page.

Step 7 Choose the QoS tab and select Gold (Video) from the Quality of Service (QoS) drop-down list.

Step 8 Enable Multicast Direct.

Step 9 Click Apply to save the configuration changes.


Chapter 5 Wireless Tab Application Visibility and Control

Application Visibility and ControlApplication Visibility and Control (AVC) uses the Network Based Application Recognition (NBAR) deep packet inspection technology to classify applications based on the protocol they use. Using AVC, the controller can detect more than 1500 Layer 4 to Layer 7 protocols. AVC enables you to perform real-time analysis and create policies to reduce network congestion, costly network link usage, and infrastructure upgrades. AVC recognizes applications and passes this information to other features like QoS, NetFlow, or firewall, which can take action based on the classification

Guidelines

• Only WLANS on local mode access points, or centrally switched on FlexConnect access points can have applications recognized by NBAR.

• Only IPv4 traffic can be analyzed using AVC.

Note AVC is supported only on the Cisco 2500 and 5500 Series Wireless Controllers, Cisco WiSM2, and Cisco Flex 7500 Series Wireless Controllers and Cisco 8500 Series Wireless Controllers,

Choose WIRELESS > Application Visibility and Control to navigate to this page. From here, you can choose the following:

• WIRELESS > Application Visibility and Control > Applications to view all the supported applications.

See AVC Applications for more information.

• WIRELESS > Application Visibility and Control > Profiles to add new and view existing profiles to the controller.

See AVC Profiles for more information.

AVC ApplicationsChoose WIRELESS > Application Visibility and Control > Applications to navigate to the AVC Applications page. This page enables you to view details of all the 1536 applications.

This table describes the AVC application parameters.



To view all classified applications, choose Monitor > Applications, click the WLAN ID to navigate to the Monitor > Clients page.

AVC ProfilesChoose WIRELESS > Application Visibility and Control > Profiles to navigate to the AVC Profiles page.

This page allows you to view the AVC profiles configured on the Cisco WLC.


Application Name Name of the application.

Application Group Name of the application group to which the application belongs. The supported application groups are as follows:

• Browsing

• Business and productivity tools

• Email

• File sharing

• Gaming

• Industrial protocols

• Instant messaging

• Internet privacy

• Layer3 over IP

• Location-based services

• Net admin

• Newsgroup

• Obsolete

• Other

• Trojan

• Voice and video

Application ID Unique ID assigned to the application.

Engine ID Engine ID assigned to each application by the NBAR engine. This ID is used by Prime Assurance Manager (PAM) to display application names.

Selector ID Selector ID assigned to each application by the NBAR engine. This ID is used by PAM to display application names.



Guidelines

• You can configure only one AVC profile per WLAN.

• Each AVC profile can have up to 32 rules.

• Each rule states a Mark or Drop action for an application, which allows you to configure up to 32 application actions per WLAN.

• You can configure up to 16 AVC profiles on a controller.

• You can associate an AVC profile with multiple WLANs.

• AVC profiles do not support AAA Override.

• AVC profiles are applied per WLAN and not per user.

To delete an AVC profile, click the blue arrow adjacent the profile and choose Remove.

To add a new AVC profile, click New.

Configuring a New AVC Profile and Adding Rules to the ProfileTo configure a new AVC profile, follow these steps:

Step 1 Choose WIRELESS > Application Visibility and Control > Profiles and click New to configure a new AVC profile.

Step 2 Specify the AVC profile name. The profile name can be up to 32 case-sensitive, alphanumeric characters.

Step 3 Click Apply. The new AVC profile appears in the list of AVC profiles configured on the Cisco WLC.

Step 4 Click the AVC Profile name to navigate to the AVC Profile > Edit page.

Step 5 Click Add New Rule to configure a policy for an application.

Step 6 Specify the following details for the AVC Profile as follows:


Application Group Drop-down list from which you can choose an application group.

Application Name Drop-down list from which you can choose an application from the chosen application group.



To edit a rule, click Add New Rule, select the application and configure a different action.

Step 7 Click Apply.

To apply an AVC profile to all clients in a WLAN, choose WLANs and click the Profile name to navigate to the WLANs > Edit page.

Action Drop-down list from which you can choose the following:

• Drop—Drops the upstream and downstream packets that correspond to the chosen application.

• Mark— Marks the upstream and downstream packets that correspond to the chosen application with the DSCP value that you specify in the Differentiated Services Code Point (DSCP) drop-down list. The DSCP value helps you to provide differentiated services based on the QoS levels. If an AVC profile mapped to a WLAN has a rule for MARK action, that application gets precedence according to the QoS profile configured in the AVC rule overriding the QoS profile configured on WLAN.

The default action is to permit all applications. NBAR helps identify both high and low priority traffic so that appropriate QoS policy is applied on per WLAN.

DSCP Packet header code that is used to define QoS across the Internet. The DSCP values are mapped to the following QoS levels:


• Gold (Video)—Supports the high-quality video applications.


• Bronze (Background)— Provides the lowest bandwidth for guest services.

You can also choose Custom and specify the DSCP value. The range is from 0 to 63.



Chapter 5 Wireless Tab Lync Server

Lync ServerMicrosoft Lync server manages services such as voice, video, application sharing and file transfer for clients. Microsoft has an SDN (software-defined network) support, which if subscribed to, sends information with respect to those calls.

The WLC solution subscribes to the Lync messages and apply relevant QoS Policies to active Lync calls for wireless clients, which belong to a given WLC.

For a detailed implementation information, see http://www.cisco.com/c/dam/en/us/products/collateral/wireless/lync.pdf.

Choose WIRELESS > Lync Server to navigate to the Global Lync Server Configuration page.

CountryChoose WIRELESS > Country to navigate to the Country page.

On this page, select the country code or codes where the Cisco WLC and associated access points are installed and operational. This selection ensures that the listed broadcast frequency bands, interfaces, channels, and transmit power levels are compliant with country-specific regulations.

For more information on configuring country codes, see the Configuring the Country Code topic.

Note Generally, you configure one country code per controller, (the one matching the physical location of the controller and its access points). However, you can configure up to 20 country codes per controller. This multiple-country support enables you to manage access points in various countries from a single controller.

For more information on configuring multiple country codes, see the Multiple Country Codes topic.

Note Both 802.11a/n/ac and 802.11b/g/n networks must be disabled in order to change the country code.

For a complete list of country codes supported per product, refer to this URL:

The currently supported countries are as follows:


Lync Server Check box to enable global Lync SDN.

Port Text box to specify the port number that the Lync service has to listen to. This number is arbitrary and is not a fixed port. Ensure that the same number is configured on the Lync Server side as well.

Protocol Two options:

• HTTP

• HTTPS

We recommend that you use HTTPS.


http://www.cisco.com/c/dam/en/us/products/collateral/wireless/lync.pdf

Chapter 5 Wireless Tab Country

http://www.cisco.com/c/en/us/products/collateral/wireless/access-points/product_data_sheet0900aecd80537b6a.html

• AE (United Arab Emirates)

• AR (Argentina)

• AT (Austria), which allows 802.11a/n/ac and 802.11b/g/n

• AU (Australia), which allows 802.11a and 802.11b

• BE (Belgium), which allows 802.11a and 802.11b/g

• BH (Bahrain)

• BG (Bulgaria)

• BR (Brazil), which allows 802.11a and 802.11b/g

• CA (Canada), which allows 802.11b/g

• CA2 (Canada) DCA excludes UNII-2

• CH (Switzerland and Liechtenstein), which allows 802.11a and 802.11b/g

• CL (Chile)

• CN (China)

• CO (Colombia)

• CY (Cyprus), which allows 802.11a and 802.11b/g

• CZ (Czech Republic), which allows 802.11a and 802.11b

• DE (Germany), which allows 802.11a and 802.11b/g

• DK (Denmark), which allows 802.11a and 802.11b/g

• DO (Dominican Republic)

• EE (Estonia), which allows 802.11a and 802.11b/g

• ES (Spain), which allows 802.11a and 802.11b/g

• FI (Finland), which allows 802.11a and 802.11b/g

• FR (France), which allows 802.11a and 802.11b/g

• GB (United Kingdom), which allows 802.11a and 802.11b/g

• GI (Gibraltar)

• GR (Greece), which allows 802.11b/g

• HK (Hong Kong), which allows 802.11a and 802.11b/g

• HU (Hungary), which allows 802.11a and 802.11b/g

• ID (Indonesia)

• IE (Ireland), which allows 802.11a and 802.11b/g

• IL (Israel), which allows 802.11a and 802.11b/g

• ILO (Israel Outdoors), which allows 802.11a and 802.11b/g

• IN (India), which allows 802.11a and 802.11b

• IQ (Iraq)

• IS (Iceland), which allows 802.11a and 802.11b/g

• IT (Italy), which allows 802.11a and 802.11b/g


http://www.cisco.com/c/en/us/products/collateral/wireless/access-points/product_data_sheet0900aecd80537b6a.html


• JP (Japan), which allows 802.11a and 802.11b/g

• J2 (Japan 2 P)

• J3 (Japan 3 U)

• KE (Korea Extended K)

• KR (Republic of Korea), which allows 802.11a and 802.11b/g

• KW (Kuwait)

• LI (Liechtenstein)

• LT (Lithuania), which allows 802.11a and 802.11b/g

• LU (Luxembourg), which allows 802.11a and 802.11b/g

• LV (Latvia), which allows 802.11b/g

• MC (Monaco)

• ME (Montenegro)

• MK (Macedonia)

• MT (Malta)

• MX (Mexico)

• MY (Malaysia), which allows 802.11b/g

• NL (Netherlands), which allows 802.11a and 802.11b/g

• NO (Norway), which allows 802.11a and 802.11b/g

• NZ (New Zealand), which allows 802.11a and 802.11b/g

• OM (Oman)

• PA (Panama)

• PE (Peru)

• PH (Philippines), which allows 802.11a and 802.11b

• PH2 (Philippines (DCA excludes UNII))

• PK (Pakistan)

• PL (Poland), which allows 802.11a and 802.11b/g

• PR (Puerto Rico)

• PT (Portugal), which allows 802.11a and 802.11b/g

• PY (Paraguay)

• QA (Qatar)

• RS (Serbia)

• RU (Russian Federation)

• RO (Romania)

• SA (Saudi Arabia)

• SE (Sweden), which allows 802.11a and 802.11b/g

• SG (Singapore), which allows 802.11a and 802.11b/g

• SI (Slovenia), which allows 802.11a and 802.11b/g

• SK (Slovak Republic), which allows 802.11a and 802.11b/g



• TH (Thailand), which allows 802.11b/g

• TN (Tunisia)

• TR (Turkey)

• TW (Taiwan), which allows 802.11a and 802.11b/g

• UA (Ukraine)

• US (United States of America), which allows an 802.11b/g operation, and 802.11a Low, Medium, and High bands

• USE (USA), which allows 802.11a and 802.11b/g

• USL (USA Low), which allows an 802.11b/g operation, and 802.11a Low and Medium bands. (Used for legacy 802.11a interface cards that do not support 802.11a High band)

• USX (USA Extended), which allows 802.11a and 802.11b/g

• VE (Venezuela)

• ZA (South Africa), which allows 802.11a and 802.11b/g


Configuring the Country Code

Note Disable both the 802.11a/n/ac and 802.11b/g/n networks to change the country code.

To configure the country code using the GUI, follow these steps:

Step 1 Disable the 802.11a/n/ac and 802.11b/g/n networks as follows:

a. Click Wireless > 802.11a/n/ac > Network.

b. Unselect the 802.11a Network Status Enabled check box.

c. Click Apply to commit your changes.

d. Click Wireless > 802.11b/g/n > Network.

e. Unselect the 802.11b/g Network Status Enabled check box.

f. Click Apply to commit your changes.

Step 2 Click Wireless > Country to access the Country page.

Step 3 Select the check box for the country where your access point is installed.


Step 5 Reenable the 802.11a/n/ac and 802.11b/g/n networks that you disabled in Step 1.

Step 6 Click Save Configuration to save your settings.



Multiple Country CodesYou can configure up to 20 country codes for each controller. This multiple-country support enables you to manage access points in various countries from a single controller.

Guidelines

Follow these guidelines when configuring multiple country codes:

• The multiple-country feature is not supported for use with Cisco Aironet 1500 series mesh access points.

• When multiple countries are configured and the radio resource management (RRM) auto-RF feature is enabled, the auto-RF feature is limited to only the channels that are legal in all configured countries and to the lowest power level common to all configured countries. The access points are always able to use all legal frequencies but uncommon channels can only be assigned manually.

• The access point can only operate on the channels for the countries that they are designed for.

Note If an access point is set to a higher legal power level or is configured manually, the power level is limited only by the particular country to which that access point is assigned.

• When multiple countries are configured, the 802.11a/n/ac network is disabled for all the countries if any country does not support the 802.11a radio, or there are no common channels on the 802.11a radio.

• The country list configured on the RF group leader determines what channels the members would operate on. This is independent of what countries have been configured on the RF Group members.

Configuring Multiple Country Codes

Note Disable both the 802.11a/n/ac and 802.11b/g/n networks to change the country code.

To configure country codes using the GUI, follow these steps:

Step 1 Disable the 802.11a/n/ac and 802.11b/g/n networks as follows:

a. Click Wireless > 802.11a/n/ac > Network.

b. Unselect the 802.11a Network Status Enabled check box.

c. Click Apply to commit your changes.

d. Click Wireless > 802.11b/g/n > Network.

e. Unselect the 802.11b/g Network Status Enabled check box.

f. Click Apply to commit your changes.

Step 2 Choose Wireless > Country to access the Country page.

Step 3 Choose the check box for each country where your access points are installed.

Step 4 If you selected more than one check box in Step 3, a message appears indicating that RRM channels and power levels are limited to common channels and power levels. Click OK to continue or Cancel to cancel the operation.


Chapter 5 Wireless Tab Timers


Step 6 Re-enable the 802.11a/n/ac and 802.11b/g/n networks if you did not re-enable them in Step 1.


Changing Default Country Codes

To see the default country chosen for each access point and to choose a different country if necessary, follow these steps:

Note If you remove a country code from the configuration, any access points that are assigned to the deleted country are reassigned to one of the remaining countries if possible.

Step 1 Click Wireless > Access Points > All APs to access the All APs page.

Step 2 Click the link for the desired access point.

The default country for the access point appears in the Country Code drop-down list. The drop-down list contains only those country codes that are compatible with the regulatory domain of at least one of the access point’s radios.

Step 3 If the access point is installed in a country other than the one shown, choose the correct country from the drop-down list.


Step 5 Repeat Step 2 through Step 4 to assign all the access points that are joined to the controller of a specific country.

Step 6 Re-enable the 802.11a/n/ac and 802.11b/g/n networks.


TimersChoose WIRELESS > Timers to navigate to the Timers page. This page enables you to view the timeout parameter.

This table describes the timer parameters.


Table 5-144 Timer Parameters

Timer Description

802.11 Authentication Response Timeout 802.11 authentication response timeout that is between 5 and 60 seconds. The default is 10 seconds.


Chapter 5 Wireless Tab NetFlow

NetFlowChoose WIRELESS > Netflow to navigate to the Netflow page.

NetFlow is a protocol that provides valuable information about network users and applications, peak usage times, and traffic routing. This protocol collects IP traffic information from network devices to monitor traffic. The NetFlow architecture consists of the following components:

• Collector—An entity that collects all the IP traffic information from various network elements. NBAR exports traffic data to a NetFlow Collector.

• Exporter—A network entity that exports the template with the IP traffic information. The controller acts as an exporter. Configuring an exporter on the controller enables the collection of application statistics for export to an external monitor.

In the controller you can choose the following:

• WIRELESS > Netflow > Monitor to configure or view details of the NetFlow monitor and records.

See Netflow Monitor for more information.

• WIRELESS > Netflow > Exporter to view details of the NetFlow exporters.

See Netflow Exporter for more information.

Netflow MonitorChoose WIRELESS > Netflow > Monitor to navigate to the Monitor page. NetFlow record monitoring and export are used for integration with Cisco Prime Infrastructure or any NetFlow analysis tool.

This table describes the NetFlow monitor parameters.


Chapter 5 Wireless Tab NetFlow

Click New to add a new NetFlow monitor.

Netflow ExporterChoose WIRELESS > Netflow > Exporter to navigate to the Exporter page.

This table describes the NetFlow exporter parameters.

Table 5-145 NetFlow Monitor Parameters


Monitor Name Name of the NetFlow monitor. The monitor name can be up to 127 case-sensitive, alphanumeric characters. You cannot include spaces within a monitor name. You can configure only one monitor in the controller.

Record Name Name of the NetFlow record. A NetFlow record in the controller contains the following information about the traffic in a given flow:

• Client MAC address

• Client source IP address

• WLAN ID

• Application ID

• Incoming bytes of data

• Outgoing bytes of data

• Incoming packets

• Outgoing packets

• Incoming DSCP

• Outgoing DSCP

• Name of the last AP

Exporter Name Name of the exporter. You cannot include spaces within an exporter name. You can configure only one monitor in the controller.

Exporter IP IP address of the collector.

Port UDP port through which the NetFlow record is exported from the controller.

Table 5-146 NetFlow Exporter Parameters


Exporter Name Name of the exporter. You can configure only one exporter on the controller. You cannot include spaces within an exporter name.

Exporter IP IP address of the exporter.

Port Number UDP port through which the NetFlow record is exported.


Chapter 5 Wireless Tab QoS Profiles

QoS ProfilesChoose WIRELESS > QoS > Profiles to navigate to the QoS Profiles page. This page enables you to view the quality of service (QoS) settings.

This table describes the QoS profiles parameters.

Click the profile name to go to the Editing QoS Profile page and specify how much bandwidth a client is allocated in the network for that QoS profile.

Editing QoS ProfileChoose WIRELESS > QoS > Profiles and then click the profile name to navigate to the Edit QoS Profile page.

The top of the main page lists the selected quality of service (QoS) profile name.

This table describes the QoS profile parameters.

Table 5-147 QoS Profiles


Profile Name Name of the QoS profile.

Description Platinum (Voice)—Assures a high quality of service for Voice over Wireless.

Gold (Video)—Supports high-quality video applications.

Silver (Best Effort)—Supports the normal bandwidth for clients. This setting is the default.

Bronze (Background)—Provides the lowest bandwidth for guest services.

VoIP clients should be set to Platinum while low-bandwidth data clients can be set to Silver or Bronze.

Table 5-148 QoS Profile Parameters


QoS Profile Name Name of the QoS profile.

Description User-defined description for this QoS profile.

Per-User Bandwidth and Per-SSID Bandwidth Contracts

Note When you set the Per-User Bandwidth Contracts parameters to 0 (OFF), the traffic allowed is unlimited and is restricted by only other 802.11 limitations.





Average Real-Time Rate User-defined average data rate (kbps) for UDP traffic.



Chapter 5 Wireless Tab QoS Roles for Guest Users


Click Reset to defaults to reset the parameters to the factory default.

QoS Roles for Guest UsersChoose WIRELESS > QoS > Roles to navigate to the QoS Roles for Guest Users page.

This page enables you to view the quality of service (QoS) roles for guest users.



WLAN QoS Parameters

Maximum Priority Maximum QoS priority for the WLAN of the profile.

Available options are as follows:

• besteffort

• background

• video

• voice

Unicast Default Priority Default QoS priority of unicast packet for the WLAN of the profile.


• besteffort

• background

• video

• voice

Multicast Default Priority

Default QoS priority of multicast packet for the WLAN of the profile.


• besteffort

• background

• video

• voice

Wired QoS Protocol

Protocol Type Protocol type. Choose 802.1P to activate 802.1P Priority Tags, or choose None to deactivate 802.1P Priority Tags (default).

802.1P Tag 802.1P priority tag for the wired connection that is used for traffic and CAPWAP packets. Valid values are from 0 to 7.

The default values are 1 for Bronze, 3 for Silver, 4 for Gold, and 6 for Platinum.

Table 5-148 QoS Profile Parameters




Choose New to display the Creating New QoS Roles page and to create a new QoS role.

Click the role name to display the Editing QoS Role Data Rates page and specify how much bandwidth a wired guest user is allocated in the network for that QoS role.

Note After you create the QoS role for guest user, you can assign a role to a guest user from the Local Net Users page.

To delete a role, click the blue arrow adjacent the desired access point and choose Remove.

To add a new role, click New.

Creating New QoS RolesChoose WIRELESS > QoS > Roles and then click New to navigate to the QoS Role Name > New page.

This page enables you to create quality of service roles for guest users. Click the profile name to go to the Editing QoS Role Data Rates page and edit the QoS role parameters.


Editing QoS Role Data RatesChoose WIRELESS > QoS > Roles, and then click the role name to navigate to the Edit QoS Role data rates page.

This page enables you to specify bandwidth limits for guest users of different roles. The top of the main page lists the selected role name.

This table describes the QoS role parameters.


Table 5-149 QoS Role Parameters


Note When you set the Per-User Bandwidth Contracts parameters to 0 (OFF), the traffic allowed is unlimited and is restricted only by other 802.11 limitations.

Average Data Rate Operator-defined average data rate (kbps) for non-UDP traffic.

Valid values are from 0 to 60,000; the default value is 0 (OFF).

Burst Data Rate Operator-defined peak data rate (kbps) for non-UDP traffic.


Average Real-Time Rate Operator-defined average data rate (kbps) for UDP traffic.


Burst Real-Time Rate Operator-defined peak data rate (kbps) for UDP traffic.



C H A P T E R 6
Security Tab
The Security tab on the menu bar enables you to configure and set security policies on your Cisco WLC. Use the Selector area to access specific security parameters. Making this selection from the menu bar opens the RADIUS Authentication Servers page.

You can access the following pages from the security tab:

• General (AAA)

• RADIUS Authentication Servers

• RADIUS Accounting Servers

• RADIUS Fallback Parameters

• RADIUS DNS Parameters

• TACACS+ Authentication Servers

• TACACS+ Accounting Servers

• TACACS+ Authorization Servers

• TACACS DNS Parameters

• LDAP Servers

• Local Net Users

• MAC Filtering

• Disabled Clients

• User Policies

• AP Policies

• Password Policies

• General (Local EAP)

• Local EAP Profiles

• EAP-FAST Method Parameters

• Authentication Priority

• Priority Order of Management Users

• Local Significant Certificates

• Self Significant Certificates

• Access Control Lists


Chapter 6 Security Tab General (AAA)

• CPU Access Control Lists

• FlexConnect ACLs

• Rogue Policy

• Rogue Rules

• Priority of Rogue Rules

• Friendly Rogues

• Standard Signatures

• Custom Signatures

• Signature Events Summary

• Signature Event Track Details

• Client Exclusion Policies

• AP Authentication

• Management Frame Protection Settings

• Web Login Page

• Web Authentication Certificate

• External Web Authentication

• TrustSec SXP

• Local Policies

• Cisco Intrusion Detection System

• CA Certification

• ID Certificate

General (AAA)Choose SECURITY > AAA > General to navigate to the General page.

This page enables you to specify the maximum number of local network users that can exist on the local user database:

• Maximum Local Database entries—Enables you to enter a value for the maximum number of local network users that can be added to the local user database the next time that the Cisco WLC reboots. The currently configured value appears in parentheses to the right of the field. The valid range is from 512 to 2048, and the default setting is 2048.

• Number of entries, already used—Displays the number of entries currently in the database.


RADIUS Authentication ServersChoose SECURITY > AAA > RADIUS > Authentication to navigate to the RADIUS Authentication Servers page.


Chapter 6 Security Tab RADIUS Authentication Servers

This page displays RADIUS server information for your configured RADIUS server and enables you to edit the Call Station ID Type:

• Auth Called Station ID Type— The Call Station ID Type is applicable only for non-802.1X authentication. The different Call Station ID types are as follows:

– IP address

– System MAC address

– AP MAC address:SSID

– AP MAC Address

– AP Name

– AP Name: SSID

– AP Group

– Flex Group

– AP Location

– VLAN ID

– AP Eth MAC Address

– AP Eth MAC Address:SSID

– AP Label MAC Address

– AP Label MAC Address:SSID

• Use AES KeyWrap—RADIUS-to-Cisco WLC key transport using AES KeyWrap protection. The AES KeyWrap is required for FIPS customers. All defined RADIUS must have AES KeyWrap keys defined.

• MAC Delimiter—Delimiter that you can use when you specify the MAC address. The available options are as follows:

– Colon

– Hyphen

– Single Hyphen

– No Delimiter

• Network User—Network user authentication check box. If this option is enabled, this entry is considered as the network user RADIUS authenticating server entry. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for network users.

• Management—Management authentication check box. If this option is enabled, this entry is considered as the management RADIUS authenticating server entry. If you enable this option, authentication requests go to the RADIUS server.

• Server Index—RADIUS server index. The Cisco WLC tries Index 1 first, and then Index 2 and so on, in an ascending order. This value should be 1 if your network is using only one authentication server.

• Server Address (IPv4/IPv6)—IP address of the RADIUS server. From Release 8.0, the controller supports both, IPv4 and IPv6.

• Port—Communication port number for the interface protocols. The default is 1812.

• IPSec—Read-only field. Displays the IPsec mechanism. If this option is enabled, the IP Security Parameters fields are also displayed.



• Admin Status—Whether the RADIUS authentication server is enabled or disabled.

Click the server index number to open the Updating RADIUS Authentication Servers page.

To delete an existing RADIUS authentication server, click the blue arrow adjacent the desired access point and choose your cursor over the blue drop-down arrow and choose Remove.

To send ping packets to the RADIUS server to verify that you have a working connection between the Cisco WLC and the RADIUS server, click the blue arrow adjacent the desired server and choose Ping.


Click New to add a new RADIUS authentication server (For more information, see Adding RADIUS Authentication Servers).

Adding RADIUS Authentication ServersChoose SECURITY > AAA > RADIUS > Authentication and then click New to navigate to the RADIUS Authentication Servers > New page.

This page enables you to add a new RADIUS server:

• Server Index (Priority)—Index of the RADIUS server. The Cisco WLC tries Index 1 first, and then Index 2 through 17, in an ascending order. Set the server index to 1 if your network is using only one authentication server.

Note You can have a maximum of 17 RADIUS authenticating server entries for a single WLAN.

• Server IP Address (IPv4/IPv6)—IP address of the RADIUS server. From Release 8.0, the controller supports both, IPv4 and IPv6.

• Shared Secret Format—Format of the shared secret that you set to either ASCII or Hex.

• Shared Secret/Confirm Shared Secret—RADIUS server login Shared Secret.

• Key Wrap—Check box that you can select to enable the following AES KeyWrap keys:

– Key Wrap Format—ASCII or hexadecimal.

Note FIPS customers must enter keys using hexadecimal notation.

– Key Encryption Key (KEK)—128-bit (16-byte) AES KeyWrap Key Encryption Key.

– Message Authentication Code Key (MACK)—160-bit (20-byte) AES KeyWrap Message Authentication Code Key.

• Port Number—Communication port number for the interface protocols.

Note Do not assign the port number that is used by another application. Use the default (1812) or any other port unused by any other application.

• Server Status—RADIUS authentication server that you enable or disable.

• Support for RFC 3576—Support for RFC 3576 that you can enable or disable. RFC 3576 is an extension to the RADIUS protocol, which allows dynamic changes to a user session including support for disconnecting users and changing authorizations applicable to a user session (support



for Disconnect and Change-of-Authorization [CoA] messages). Disconnect messages cause a user session to be terminated immediately; CoA messages modify session authorization attributes such as data filters.

• Server Timeout—Time in seconds after which the RADIUS authentication request times out and a retransmission is taken up by the Cisco WLC. You can specify a value between 2 to 30 seconds.

• Network User—Network user authentication that you can enable or disable. If this option is enabled, this entry is considered as the RADIUS authenticating server for the network user. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for network users.

• Management—Management authentication that you can enable or disable. If this option is enabled, this entry is considered as the RADIUS authenticating server for the management user. If you enable this option, authentication requests go to the RADIUS server.

• IPsec—Check box that allows you to enable or disable the IP Security mechanism. If you enable this option, the IP Security Parameters fields are displayed.

Note The IPsec option is displayed only if a crypto card is installed on the Cisco WLC.

Note IPsec does not support IPv6. Use this only if you have used IPv4 for Server IP Address.

• IPsec Authentication: Set the IP security authentication protocol to be used. Options are as follows:

– HMAC-SHA1

– HMAC-MD5

Message Authentication Codes (MACs) are used between two parties that share a secret key to validate information transmitted between them. HMAC (Hash MAC) is a mechanism based on cryptographic hash functions. HMAC can be used with any iterated cryptographic hash function. HMAC-MD5 and HMAC-SHA-1 are two constructs of the HMAC using the MD5 hash function and the SHA-1#hash function. HMAC also uses a secret key for calculation and verification of the message authentication values.

• IPsec Encryption—IP security encryption mechanism to be used. Options are as follows:

– DES —Data Encryption Standard that uses a private data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data.

– Triple DES—Data Encryption Standard that applies three keys in succession.

– AES CBS—Advanced Encryption Standard that uses keys with a length of 128, 192, or 256 bits to encrypt blocks with a length of 128, 192, or 256 bits. AES 128 CBC uses 128 bit data path in Cipher Clock Chaining (CBC) mode.

• IKE Phase 1: Internet Key Exchange protocol (IKE). Options are as follows:

– Aggressive

– Main

IKE Phase-1 is used to negotiate how IKE should be protected. Aggressive mode passes more information in fewer packets, with a slightly faster connection, at the cost of transmitting the identities of the security gateways in the clear.

• Lifetime (seconds): Set the timeout interval for the session expiry. The default is 28800 seconds.

• IKE Diffie Hellman Group: Set the IKE Diffie Hellman Group. The options are as follows:


Chapter 6 Security Tab RADIUS Accounting Servers

– Group 1 (768 bits)



Diffie-Hellman techniques are used by two devices to generate a symmetric key where they can publicly exchange values and generate the same symmetric key.

Although all the three groups provide security from conventional attacks, Group 5 is considered more secure because of its larger key size. However, computations involving Group 1 and Group 2 keys might occur slightly faster because of their smaller prime number size.



Although all the four groups provide security from conventional attacks, Group 14 is considered most secure because of its larger key size. However, computations involving Group 1, Group 2, and Group 5 keys might occur slightly faster because of their smaller prime number size. The default value is Group 1.

• Auth Method—IPsec authentication method that can be PSK or Certificate.Shared Secret Format—Format of the shared secret that you set to either ASCII of Hex.



Updating RADIUS Authentication ServersChoose SECURITY > AAA > RADIUS > Authentication and click on a link in the Server Index column to update RADIUS authentication servers.

This page enables you to change the RADIUS Authentication parameters on an existing RADIUS server. See Adding RADIUS Authentication Servers.


RADIUS Accounting ServersChoose SECURITY > AAA > RADIUS > Accounting to navigate to the RADIUS Accounting Servers page.

This page displays RADIUS information for your existing RADIUS server.

• Network User—Network user authentication that you can enable or disable. If this option is enabled, this entry is considered as the RADIUS authenticating server for the network user. The default is unselected.

• Server Index—The RADIUS server index. The Cisco WLC tries Index 1 first, and then Index 2 through 17, in an ascending order. Set the server index to 1 if your network is using only one accounting server.

Note You can configure a maximum of 17 RADIUS accounting server entries for a single WLAN.



• Server Address (IPv4/IPv6)—IP address of the RADIUS server. From Release 8.0, the controller supports both, IPv4 and IPv6.

• Port—Controller port number for the interface protocols.

• IPsec—Read-only field. Displays the status of the IPsec mechanism. If this option is enabled, the IP Security Parameters fields are also be displayed.

• Admin Status—Whether the RADIUS accounting server is enabled or disabled.

Click the server index number to update the RADIUS accounting servers (see Editing RADIUS Accounting Servers).

Click the blue arrow adjacent the desired server and choose Remove to delete an existing RADIUS accounting server.

Click the blue arrow adjacent the desired server and choose Ping to send ping packets to the RADIUS server to verify that you have a working connection between the Cisco WLC and the RADIUS server.

Click New to add a new RADIUS accounting server (For more information, see Adding RADIUS Accounting Servers).

Adding RADIUS Accounting ServersChoose SECURITY > AAA > RADIUS > Accounting and then click New to navigate to the RADIUS Accounting Servers > New page.

This page enables you to add a new RADIUS server:

• Server Index (Priority)—Index of the RADIUS server. The Cisco WLC tries Index 1 first, and then Index 2 through 17, in an ascending order. Set to 1 if your network is using only one accounting server.

• Server IP Address (IPv4/IPv6)—IP address of the RADIUS server. From Release 8.0, the controller supports both, IPv4 and IPv6.

• Shared Secret Format—Format of the shared secret that you set to either ASCII of Hex.


• Port Number—Port number for the interface protocols.

Note Do not assign the port number to one that is used by another application. Use the default (1813) or any other port unused by any other application.

• Server Status—RADIUS accounting server that you enable or disable.

• Server Timeout—Time in seconds after which the RADIUS authentication request times out and a retransmission is taken up by the Cisco WLC. You can specify a value between 2 to 30 seconds.

• Network User—Network user authentication that you can enable or disable. If this option is enabled, this entry is considered as the RADIUS authenticating server for the network user.

• IPSec—Check box that you can select to enable or disable the IP Security mechanism. If you enable this option, the IP Security Parameters fields are displayed.

Note IPSec does not support IPv6. Use this only if you have used IPv4 for Server IP Address.

• IPSec Authentication: Set the IP security authentication protocol to be used. Options are as follows:



– HMAC-SHA1

– MAC-MD5

– None


• IPsec Encryption—IP security encryption mechanism. Options are as follows:

– DES—Data Encryption Standard that uses a private (secret) key. DES applies a 56-bit key to each 64-bit block of data.

– Triple DES—Data Encryption Standard that applies three keys in succession.

– AES 128 CBC—Advanced Encryption Standard that uses keys with a length of 128, 192, or 256 bits to encrypt blocks with a length of 128, 192, or 256 bits. AES 128 CBC uses 128-bit data path in Cipher Clock Chaining (CBC) mode.

• IKE Authentication: (Display Only Field).

• IKE (Internet Key Exchange protocol) is used as a method of distributing the session keys (encryption and authentication), as well as providing a way for the VPN endpoints to agree on how the data should be protected. IKE keeps track of connections by assigning a bundle of Security Associations (SAs), to each connection.

• IKE Phase 1: Set the Internet Key Exchange protocol (IKE). Options are as follows:

– Aggressive

– Main

IKE Phase-1 is used to negotiate how IKE should be protected. Aggressive mode passes more information in fewer packets, with a slightly faster connection establishment, at the cost of transmitting the identities of the security gateways in the clear.

• Lifetime (seconds): Timeout interval for the session expiry. The default is 28800 seconds.

• IKE Diffie Hellman Group—Options are as follows:






Although all the four groups provide security from conventional attacks, Group 14 is considered most secure because of its larger key size. However, computations involving Group 1, Group 2, and Group 5 keys might occur slightly faster because of their smaller prime number size.

• Auth Method—IPsec authentication method that can be PSK or Certificate.

• Shared Secret Format—Format of the shared secret that you set to either ASCII of Hex.




Chapter 6 Security Tab RADIUS Fallback Parameters

Editing RADIUS Accounting ServersChoose SECURITY > AAA > RADIUS > Accounting and then click Edit to navigate to the RADIUS Accounting Servers > Edit page.

This page enables you to change the RADIUS accounting parameters on an existing RADIUS server. for more information about the parameters, see Adding RADIUS Accounting Servers:


RADIUS Fallback ParametersChoose SECURITY > AAA > RADIUS > Fallback to navigate to the RADIUS > Fallback Parameters page.

If the primary RADIUS server (for example, Index 1) is unavailable, the Cisco WLC switches to the next RADIUS server (for example, Index 2). By default, when the RADIUS server configured as Index 1 becomes available again, the current RADIUS server remains the primary server.

You can configure the RADIUS server fallback behavior to specify which RADIUS server is the primary server. This table describes the RADIUS fallback parameters.


Table 6-1 RADIUS Fallback Parameters


Fallback Mode Specify the RADIUS server fallback mode:

• Active—Specifies that the Cisco WLC will revert to a server with a lower server index from the backup servers by sending RADIUS probe messages to determine whether a server that has been marked as inactive is back online. The Cisco WLC ignores all inactive servers for all active RADIUS requests.

• Passive—Specifies that the Cisco WLC will revert to a server with a lower server index from the backup servers without using probe messages. The Cisco WLC ignores all inactive servers for a period of time and then retries later when a RADIUS message needs to be sent.

• Off—(Default) Disable server fallback.

Username Enter the name to be sent in the inactive server probes, up to 16 alphanumeric characters. The default value is cisco-probe.

Interval in sec Enter the probe interval (when using Active mode) or inactive time (when using Passive mode) in seconds. Valid values are from 180 to 3600; the default value is 300.


Chapter 6 Security Tab RADIUS DNS Parameters

RADIUS DNS ParametersChoose SECURITY > AAA > RADIUS > DNS to navigate to the RADIUS DNS Parameters page.

This page allows Cisco WLC to retrieve the RADIUS IP information from a DNS server. The DNS server is queried at regular intervals for updates. The Cisco WLC also runs the query if you manually change the DNS server list, or if one of the servers timeouts. As the DNS list overrides the static list, all manual AAA configurations on the WLAN will stop functioning as soon as the global server list gets populated from the DNS server. DNS AAA is also valid for FlexConnect AP clients using central authentication.

Note RADIUS DNS is not supported for FlexConnect AP groups and FlexConnect clients with local switching.

Note DNS does not support IPv6.

This table describes the DNS parameters.


TACACS+ Authentication ServersChoose SECURITY > AAA > TACACS+ > Authentication to navigate to the TACACS+ Authentication Servers page.

Table 6-2 DNS Parameters


DNS Query Check box to enable the Cisco WLC to retrieve the RADIUS IP information from a DNS server. The default is disabled.

Note When you enable the DNS query, the static configurations will be overridden. The DNS list overrides the static AAA list.

Port Number Port number for authentication. The range is from 1 to 65535. All the DNS servers should use the same authentication port.

Note The accounting port is derived from the authentication port.

Secret Format Format of the shared secret that you set to either ASCII or Hex.

Secret/Confirm Secret RADIUS server login secret.

Note All the DNS servers should use the same secret.

DNS Timeout Maximum time, in seconds, that the Cisco WLC waits before timing out the request and resending it. The range is from 1 to 180 days.

URL Fully qualified domain name (FQDN) of the RADIUS server. The FQDN can be up to 63 case-sensitive, alphanumeric characters.

Server IP Address DNS server IP address.

Note IPv6 is not supported for DNS.


Chapter 6 Security Tab TACACS+ Authentication Servers

This page displays a summary of the existing TACACS+ authentication servers.

You can configure up to three TACACS+ authentication, authorization, and accounting servers each. For example, you may want to have one central TACACS+ authentication server but several TACACS+ authorization servers in different regions. If you configure multiple servers of the same type and the first one fails or becomes unreachable, the Cisco WLC automatically tries the second one and then the third one if necessary.

Note If multiple TACACS+ servers are configured for redundancy, the user database must be identical in all the servers for the backup to work properly.

This page displays the following information about the configured TACACS servers:

• Server Index—Index of the TACACS+ server.

• Server Address (IPv4/IPv6)—IP address of the TACACS+ server. From Release 8.0, the controller supports both, IPv4 and IPv6.

• Port—TACACS+ server TCP port number.

• Admin Status—TACACS+ server status.

You can perform the following actions:

• To edit an existing TACACS+ authentication server, click the index number for that server.

• To remove an existing TACACS+ authentication server, click the blue arrow adjacent the desired server and choose Remove.

• To ping the TACACS+ authentication server, click the blue arrow adjacent the desired server and choose Ping.

• Click New to add a new TACACS+ Authentication server.

Adding TACACS+ Authentication ServersChoose SECURITY > AAA > TACACS+ > Authentication and then click New to navigate to the TACACS+ Authentication Servers > New page.

This page enables you to configure a TACACS+ authentication server:

Note You must configure TACACS+ on both your Cisco Secure Access Control Server (ACS) and your Cisco WLC. For information on configuring the ACS, refer to the Cisco Wireless Controller Configuration Guide or the Cisco Secure ACS Configuration Guide.

• Server Index (Priority)—Index of the TACACS+ server. Choose a number to specify the priority order of this server in relation to any other configured TACACS+ servers. You can configure up to three servers. If the Cisco WLC cannot reach the first server, it tries the second one in the list and so on.

• Server IP Address (IPv4/IPv6)—IP address of the TACACS+ server. From Release 8.0, the controller supports both, IPv4 and IPv6.


Chapter 6 Security Tab TACACS+ Accounting Servers


• Shared Secret/Confirm Shared Secret—TACACS+ server login Shared Secret.

• Port Number—TACACS+ server TCP port number. The valid range is 1 to 65535; the default value is 49.

Note Do not assign a port number that is used by another application. Use the default (49) or any other port unused by any other application.

• Server Status—TACACS+ server status that you can enable or disable.

• Server Timeout—Number of seconds between retransmissions. The valid range is 5 to 30 seconds, and the default value is 5 seconds.


Editing TACACS+ Authentication ServersChoose SECURITY > AAA > TACACS+ > Authentication and then click a Server Index number to navigate to the TACACS+ Authentication Servers > Edit page.

This page enables you to change the settings for an existing TACACS+ authentication server.






TACACS+ Accounting Servers Choose SECURITY > AAA > TACACS+ > Accounting to navigate to the TACACS+ Accounting Servers page.

This page displays a summary of the existing Terminal Access Controller Access Control System Plus (TACACS+) Accounting servers.





Chapter 6 Security Tab TACACS+ Accounting Servers





To edit an existing TACACS+ accounting server, click the index number for that server.

• To remove an existing TACACS+ accounting server, click the blue arrow adjacent the desired server and choose Remove.

• To ping the TACACS+ accounting server, click the blue arrow adjacent the desired server and choose Ping.

• Click New to add a new TACACS+ accounting server.

Adding TACACS+ Accounting ServersChoose SECURITY > AAA > TACACS+ > Accounting and then click New to navigate to the TACACS+ Accounting Servers > New page.

This page enables you to configure a TACACS+ accounting server:


• Server Index (Priority)—Index of the TACACS server. Choose a number to specify the priority order of this server in relation to any other configured TACACS+ servers. You can configure up to three servers. If the Cisco WLC cannot reach the first server, it tries the second one in the list and so on.




• Port Number—Enter the TACACS+ server TCP port number. The valid range is 1 to 65535; the default value is 49.






Chapter 6 Security Tab TACACS+ Authorization Servers

Editing TACACS+ Accounting ServersChoose SECURITY > AAA > TACACS+ > Accounting and then click a Server Index number to navigate to the TACACS+ Accounting Servers > Edit page.

This page enables you to change the settings for an existing TACACS+ accounting server.

• Shared Secret Format—Shared secret that you set to either ASCII or Hex.


• Server Status—TACACS+ server that you enable or disable.



TACACS+ Authorization Servers Choose SECURITY > AAA > TACACS+ > Authorization to navigate to the TACACS+ Authorization Servers page.

This page displays a summary of the existing TACACS+ authorization servers:









• To edit an existing TACACS+ Authorization server, click the index number for that server.

• To remove an existing TACACS+ Authorization server, click the blue arrow adjacent the desired server and choose Remove.

• To ping the TACACS+ Authorization server, click the blue arrow adjacent the desired server and choose Ping.

• Click New to add a new TACACS+ Authorization server.


Chapter 6 Security Tab TACACS+ Authorization Servers

Adding TACACS+ Authorization ServersChoose SECURITY > AAA > TACACS+ > Authorization and then click New to navigate to the TACACS+ Authorization Servers > New page.

This page enables you to configure a TACACS+ authorization server:


• Server Index (Priority)—Index of the TACACS server. Choose a number to specify the priority order of this server in relation to any other configured TACACS+ servers. You can configure up to three servers. If the Cisco WLC cannot reach the first server, it tries the second one in the list and so on.




• Port Number—TACACS+ server TCP port number. The valid range is 1 to 65535; the default value is 49.


• Server Status—Enable or disable this TACACS+ server.

• Server Timeout—Enter the number of seconds between retransmissions. The valid range is 5 to 30 seconds, and the default value is 5 seconds.


Editing TACACS+ Authorization ServersChoose SECURITY > AAA > TACACS+ > Authorization and then click a Server Index number to navigate to the TACACS+ Authorization Servers > Edit page.

This page enables you to change the settings for an existing TACACS+ authorization server:







Chapter 6 Security Tab TACACS DNS Parameters

TACACS DNS ParametersChoose SECURITY > AAA > TACACS > DNS to navigate to the TACACS DNS Parameters page.

This page allows Cisco WLC to retrieve the TACACS IP information from a DNS server. The DNS server is queried at regular intervals for updates. The Cisco WLC also runs the query if you manually change the DNS server list, or if one of the servers timeouts. As the DNS list overrides the static list, all manual AAA configurations on the WLAN will stop functioning as soon as the global server list gets populated from the DNS server. DNS AAA is also valid for FlexConnect AP clients using central authentication.

Note TACACS DNS is not supported for FlexConnect AP groups and FlexConnect clients with local switching.

Note DNS does not support IPv6.

This table describes the TACACS DNS parameters.


LDAP ServersChoose SECURITY > AAA > LDAP to navigate to the LDAP Servers page.

Table 6-3 TACACS DNS Parameters


DNS Query Check box to enable the Cisco WLC to retrieve the TACACS IP information from a DNS server. The default is disabled.

Note When you enable the DNS query, the static configurations will be overridden. The DNS list overrides the static AAA list.

Port Number Port number for authentication. The range is from 1 to 65535. All the DNS servers should use the same authentication port.

Note The accounting port is derived from the authentication port.

Secret Format Format of the shared secret that you set to either ASCII or Hex.

Secret/Confirm Secret TACACS server login secret.

Note All the DNS servers should use the same secret.

DNS Timeout Maximum time, in seconds, that the Cisco WLC waits before timing out the request and resending it. The range is from 1 to 180 days.

URL Fully qualified domain name (FQDN) of the TACACS server. The FQDN can be up to 63 case-sensitive, alphanumeric characters.

Server IP Address DNS server IP address.

Note IPv6 is not supported for DNS.


Chapter 6 Security Tab LDAP Servers

This page displays a summary of the existing Lightweight Directory Access Protocol (LDAP) servers:

• Server Index—Index of the LDAP server.

• Server Address (IPv4/IPv6)—IP address of the LDAP server. From Release 8.0, the controller supports both, IPv4 and IPv6.

• Port—TCP port number of the LDAP server.

• Server State—Current status of the server.

• Bind—Local authentication bind method for the LDAP server.


• To edit an existing LDAP server, click the index number for that server.

• To remove an existing LDAP server, click the blue arrow adjacent the desired server and choose Remove.

• To ping the LDAP server, click the blue arrow adjacent the desired server and choose Ping.

Click New to add a new LDAP server.

Adding LDAP ServersChoose SECURITY > AAA > LDAP and then click New to navigate to the LDAP Servers > New page.

This page enables you to configure a Lightweight Directory Access Protocol (LDAP) server as a back-end database, which is similar to a RADIUS or local user database. An LDAP back-end database allows the Cisco WLC to query an LDAP server for the credentials (username and password) of a particular user. These credentials are then used to authenticate the user. For example, local EAP may use an LDAP server as its back-end database to retrieve user credentials.

Note The LDAP back-end database supports these local EAP methods: EAP-TLS, EAP-FAST/GTC, and PEAPv1/GTC.

LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are also supported but only if the LDAP server is set up to return a clear-text password. For example, Microsoft Active Directory is not supported because it does not return a clear-text password.

If the LDAP server cannot be configured to return a clear-text password, LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are not supported.

• Server Index (Priority)—Index of the LDAP server. Choose a number to specify the priority order of this server in relation to any other configured LDAP servers. You can configure up to 17 servers. If the Cisco WLC cannot reach the first server, it tries the second one in the list and so on.

• Server IP Address (IPv4/IPv6)—IP address of the LDAP server. From Release 8.0, the controller supports both, IPv4 and IPv6.

• Port Number—LDAP server TCP port number. The valid range is 1 to 65535; the default value is 389.

• Simple Bind—Local authentication bind method for the LDAP server that you can specify: either Anonymous or Authenticated. The Anonymous method allows anonymous access to the LDAP server. The Authenticated method requires that a username and password be entered to secure access.


Chapter 6 Security Tab LDAP Servers

• Bind Username—(for Authenticated bind method) Username to be used for local authentication to the LDAP server. The username can contain up to 80 characters.

Note If the username starts with "cn=" (in lowercase letters), the Cisco WLC assumes that the username includes the entire LDAP database path and does not append the user base DN. This designation allows the authenticated bind user to be outside the user base DN.

• Bind Password—(for Authenticated bind method) Password to be used for local authentication to the LDAP server.

• Confirm Bind Password—(for Authenticated bind method) Password to be used for local authentication to the LDAP server.

• User Base DN—Distinguished name (DN) of the subtree in the LDAP server that contains a list of all the users. For example, ou=organizational unit, ou=next organizational unit, and o=corporation.com. If the tree that contains users is the base DN, type o=corporation.com or dc=corporation,dc=com.

• User Attribute—Name of the attribute in the user record that contains the username. You can obtain this attribute from your directory server.

• User Object Type—Value of the LDAP objectType attribute that identifies the record as a user.


• Enable Server Status—LDAP server that you can enable or disable.


Editing LDAP ServersChoose SECURITY > AAA > LDAP and then click a Server Index number to navigate to the LDAP Servers > Edit page.

This page enables you to change the settings for an existing Lightweight Directory Access Protocol (LDAP) server:

• Enable Server Status—LDAP server that you can enable or disable.

• Simple Bind—Local authentication bind method for the LDAP server that you can specify: either Anonymous or Authenticated. The Anonymous method allows anonymous access to the LDAP server. The Authenticated method requires that a username and password be entered to secure access.

• Bind Username—Username to be used for local authentication to the LDAP server.

• Bind Password—Password to be used for local authentication to the LDAP server.

• Confirm Bind Password—Password to be used for local authentication to the LDAP server.

• User Base DN—Distinguished name (DN) of the subtree in the LDAP server that contains a list of all the users. For example, ou=organizational unit, ou=next organizational unit, and o=corporation.com. If the tree that contains users is the base DN, type o=corporation.com or dc=corporation,dc=com.

• User Attribute—Name of the attribute in the user record that contains the username. You can obtain this attribute from your directory server.


Chapter 6 Security Tab Local Net Users

• User Object Type—Value of the LDAP objectType attribute that identifies the record as a user.



Local Net UsersChoose SECURITY > AAA > Local Net Users to navigate to the Local Net Users page.

This page displays a summary of the existing local network clients who are allowed to access a specific Cisco WLAN Solution WLAN sorted by the username. You must enable Layer 3 Web Authentication located on the Adding Local Net Users page must be enabled.

This table describes the local net user parameters.

Client information is passed to the RADIUS authentication server first, and if the client information does not match a RADIUS database entry, this local database is polled. Clients located in this database are granted access to network services if the RADIUS authentication fails or does not exist.

• Click the username to edit a local network user definition on the Editing Local Net Users page.

• Click the blue arrow adjacent the desired client and choose Remove to remove an existing local network client.

Click New to add a new local network client (Adding Local Net Users).

Adding Local Net UsersChoose SECURITY > AAA > Local Net Users and then click New to navigate to the Local Net Users > New page.

This page enables you to add a local network user. You must enable Layer 3 Web Authentication located on Editing WLANs page.

• User Name—Username of the local network user.

• Password—Password of the local network user.

• Confirm Password—Password for the local network user.

• Guest User—Guest User check box that you can select to limit the amount of time that the user has access to the local network. The default setting is unselected.

Table 6-4 Local Net User Parameters


User Name Username of the local net user.

WLAN Profile WLAN profile of the local net user.

Guest User Whether the user is a guest user.

Role Role of the local net user.

Description Short description about the configured local net user.


Chapter 6 Security Tab MAC Filtering

• Lifetime—If you selected the Guest User check box, enter the amount of time (in seconds) that the guest user account is to remain active in the Lifetime text box. The valid range is 60 to 2592000 seconds, and the default setting is 86400 seconds.

• Guest User Role—If you created a QoS role for guest users (QoS Roles for Guest Users), select the Guest User Role check box and select a Role from the drop-down list.

• WLAN Profile—Select WLAN profile that the user is allowed to access. If you choose Any WLAN, which is the default setting, the user can access any of the configured WLANs.

• Description—User description that you can enter.


Editing Local Net UsersChoose SECURITY > AAA > Local Net Users and then click the username to navigate to the Local Net Users > Edit page.

This page enables you to edit a local network user definition. You must enable Layer 3 Web Authentication located on Editing WLANs page.

• User Name—Read-only field that displays the username of the local network user.

• Password—Password that you can specify.

• Confirm Password—Password that you can specify.

• Lifetime (seconds)—Lifetime of the user in seconds.

• Guest User Role—Guest User parameter that you can confirm or change if you want to limit the amount of time that the user has access to the local network. The default setting is unselected. If you selected the Guest User check box, confirm or change the amount of time (in seconds) that the guest user account is to remain active in the Lifetime text box. The valid range is 60 to 2592000 seconds, and the default setting is 86400 seconds.

• Guest User Role—If you created a QoS role for guest users (QoS Roles for Guest Users), confirm or change the Guest User Role check box and select a Role from the drop-down list.

• WLAN Profile—WLAN profile that you can select from the drop-down list.

• Description—User description that you can enter.


MAC FilteringChoose SECURITY > AAA > MAC Filtering to navigate to the MAC Filtering page.

This page displays the RADIUS Compatibility Mode, MAC delimiters for MAC Filtering, and the client MAC addresses that you entered into the Cisco WLC's local database.

You can configure each client MAC address to access network services through a specific Cisco WLAN and interface, or you can configure the WLAN as “Any WLAN” and the interface as “None” so that the client is not limited to that single WLAN or interface.


Chapter 6 Security Tab MAC Filtering

When MAC filtering is configured on the WLAN, the Cisco WLC checks the local database for the client MAC address. If the client MAC address is not found locally, then the Cisco WLC queries a RADIUS server following the RADIUS Compatibility mode, if one is configured.

• Radius Compatibility Mode—Select the required RADIUS Compatibility Mode for MAC filtering:

– Cisco ACS—In the RADIUS access-request packet, the username and password are the client MAC address.

– Free RADIUS—In the RADIUS access-request packet, the username is the client MAC address, and the password is the shared secret between the Cisco WLC and that RADIUS server.

Note The shared secret is the phrase that you entered when configuring the RADIUS server on the Cisco WLC.

Note Cisco ACS supports the free RADIUS compatibility mode.

– Other—In the RADIUS access-request packet, the username is the client MAC address, but the password is not sent in the RADIUS access-request packet.

• Choose the required MAC delimiters for MAC filtering. The MAC delimiters can be a colon (xx:xx:xx:xx:xx:xx), hyphen (xx-xx-xx-xx-xx-xx), single hyphen (xxxxxx-xxxxxx), or none (xxxxxxxxxxxx), as required by the RADIUS server.

This page lists the current local MAC filters:

• MAC Address—Client MAC address.

• Profile Name—Profile name to which the client has access.

• Interface—Interface name as defined in the Interfaces page.

• IP Address—IP address.

• Description—Description of the local MAC filter.


• Click the MAC address to change a current local MAC filter definition on the Editing MAC Filters page.

• Click the blue arrow adjacent the desired filter and choose Remove to remove a current local MAC filter.


Click New to add a new client by the MAC address (Adding MAC Filters).

Adding MAC FiltersChoose SECURITY > AAA > MAC Filtering and then click New to navigate to the MAC Filtering > New page.

This page enables you to add a client by the MAC address:

• MAC Address—Client MAC address that you can specify.

• Profile Name—Profile name to which the client has access.


Chapter 6 Security Tab Disabled Clients

• Description—Client description that you can specify.


• Interface Name—Associated interface name, as defined in the Interfaces page.


Editing MAC FiltersChoose SECURITY > AAA > MAC Filtering and then click a MAC address to navigate to the MAC Filtering > Edit page.

This page enables you to change a MAC filter definition for an existing client MAC address.

• MAC Address—Read-only field that displays the client MAC address.

• Profile Name—Profile name to which the client has access from the drop-down list.

• IP Address—Client IP address that you can specify.

• Interface Name—Associated Interface Name, as defined in the Interfaces page.


Disabled ClientsChoose SECURITY > AAA > Disabled Clients to navigate to the Disabled Clients page.

This page presents a summary of the clients who are prevented (manually barred by the MAC address) from accessing to network services.


• Search by MAC Address—MAC address that you can specify to search for a disabled client. Click Search to search for a disabled client.

• MAC Address—Disabled client MAC address.

• Description—Description of the disabled client.


• Click the MAC address to open the Disabled Client > Edit page.

• Click the blue arrow adjacent the desired client and choose Remove to enable a client that was formerly disabled.

Click New to manually disable a client (see Adding Disabled Clients for more information).

Adding Disabled ClientsChoose SECURITY > AAA > Disabled Client and then click New or MONITOR > Clients then click Disable to navigate to the Disabled Client > New page.

This page enables you to disable a client by its MAC address.



Chapter 6 Security Tab User Policies

• Description— Client description of the client you want to disable.

Note When you enter a client MAC address to be disabled, the operating system checks that the MAC address is not one of the known Local Net clients (Local Net Users), Authorized clients (MAC Filtering), or Local Management users (Local Management Users) MAC addresses. If the entered MAC address is on one of these three lists, the operating system does not allow the MAC address to be manually disabled.


Editing Disabled ClientsChoose SECURITY > AAA > Disabled Clients and then click Edit to navigate to the Disabled Client > Edit page.

This page enables you to change the client description, based on the client MAC address that prevents a client from accessing the network.


• Description—Description of the disabled client.


User PoliciesChoose SECURITY > AAA > User Login Policies to navigate to the User Policies page.

This page enables you to specify the maximum number of concurrent logins for a single username, 0 (unlimited) through eight.


AP PoliciesChoose SECURITY > AAA > AP Policies to navigate to the AP Policies page.

This page enables you to set policies that help in the authorization of access points. Access points are authorized against AAA and/or a certificate.

This table describes the policy configuration parameters.


Chapter 6 Security Tab AP Policies

Note Before you can accept an LSC, you must enable LSC on the Cisco WLC. See the Local Significant Certificates page for information on enabling LSC on the Cisco WLC.

To delete an access point from the authorization list, click the blue arrow adjacent the desired access point and choose Remove.

Search by MAC

You can search the AP Authorization List by MAC address.

Enter the MAC address as six two-digit hexadecimal numbers separated by colons (for example, 01:23:45:67:89:AB) and click Search. The AP Authorization Details page is displayed.

Adding an AP to Authorization List

To add an access point to the authorization list of a Cisco 4100 Series Wireless LAN Controller, follow these steps:

Step 1 Click Add to display the Add AP to Authorization List area.

Step 2 In the MAC Address text box, enter the MAC address of the AP.

Step 3 From the Certificate Type drop-down list, choose MIC.

Step 4 Click Add.

To add an AP to the authorization list of a Cisco 2000 Series Wireless LAN Controller or Cisco 4400 Series Wireless LAN Controller, follow these steps:

Step 1 Click Add to display the Add AP to Authorization List area.

Table 6-5 Policy Configuration Parameters


Accept Self Signed Certificate (SSC) Check box that you can select if you want the access point to accept self-signed certificates (SSCs).

Accept Manufactured Installed Certificate (MIC) Check box that you can select if you want the access point to accept manufactured installed certificates (MICs).

Accept Local Significant Certificate (LSC) Check box that you can select if you want the access point to accept local significant certificate (LSC).

Authorize MIC APs against auth-list or AAA Check box that you can select if you want the access points to be authorized against AAA.

Authorize LSC APs against auth-list Check box that you can select if you want the access points to be authorized against a local significant certificate.


Chapter 6 Security Tab Password Policies

Step 2 In the MAC Address field, enter the MAC address of the AP.

Step 3 From the Certificate Type drop-down list, choose MIC, SSC, or LSC.

Step 4 In the SHA1 Key Hash text box, enter the SHA1 key hash in hexadecimal format.

Note The SHA1 Key Hash option is displayed only if you have chosen SSC as the certificate type in the previous step.

Step 5 Click Add AP to AuthList.


Password PoliciesChoose SECURITY > AAA > Password Policies to navigate to the Password Policies page.

This page enables you to enforce strong password checks on newly created passwords for additional management users of Cisco WLC and access point. The following are the requirements enforced on the new password:

• When the Cisco WLC is upgraded from old version, all the old passwords are maintained as it is, even though the passwords are weak. After the system upgrade, if strong password checks are enabled, the same is enforced from that time and the strength of previously added passwords will not be checked or altered.

• Depending on the settings done in the Password Policy page, the local management and access point user configuration is affected.

This table describes the password policy parameters.

Table 6-6 Password Policy Parameters


Password Policies —Local Management User and AP

Password must contain characters from at least three different classes

Check box that you can select if you want your password to contain characters from at least three of the following classes: lowercase letters, uppercase letters, digits, and special characters.

No character can be repeated more than three times consecutively

Check box that you enable if you do not want any character in the new password to be repeated more than three times consecutively.

Password cannot be default words such as cisco, admin

Check box that you can select if you do not want the password to contain words such as Cisco, ocsic, admin, nimda, or any variant obtained by changing the capitalization of letters or by substituting 1, |, or ! or substituting 0 for o, or substituting $ for s.


Chapter 6 Security Tab Password Policies

Password cannot contain username or reverse of username

Check box that you can enable if you do not want the password to contain a username or the reverse letters of a username.

Password position check Check box that you can enable to verify a four-character change from the old password.

Password case digit check Check box that you can enable to verify if all four combinations (lower, upper, digits) or special characters are there in the password.

Strong password minimum length Minimum length of the password.

Strong password minimum upper case characters Minimum number of upper-case characters that are required in the password.

Strong password minimum lower case characters Minimum number of lower-case characters that are required in the password.

Strong password minimum digits Minimum number of digits that are required in the password.

Strong password minimum special characters Minimum number of special characters that are required in the password.

Management User

Management User Lockout Enable Check box that you can select to lock out a management user when the number of successive failed attempts exceeds the Management User Lockout Attempts. When disabled, this option unlocks the management user who was locked out.

Management User Lockout Attempts Number of successive incorrect password attempts after which the management user is locked.

Management User Lockout Time Amount of time, in seconds, after lockout attempts when the management user is locked.

Management User Password Lifetime Number of days before the management user requires a change of password due to the age of the password.

SNMPv3 User

SNMP User Lockout Enable Check box that you can select to lock out an SNMP user when the number of successive failed attempts exceeds the SNMP User Lockout Attempts. When disabled, this option unlocks the SNMP user who is locked out.

SNMP User Lockout Attempts Number of successive incorrect password attempts after which an SNMP user is locked.

SNMP User Lockout Time Amount of time, in seconds, after lockout attempts when an SNMP user is locked.

SNMP User Password Lifetime Number of days before an SNMP user requires a change of password due to the age of the password.

Table 6-6 Password Policy Parameters



Chapter 6 Security Tab General (Local EAP)


General (Local EAP)Choose SECURITY > Local EAP > General to navigate to the General page. This page enables you to specify timeout values for local EAP.

This table describes the local EAP parameters.

Table 6-7 Local EAP Parameters


Local Auth Active Timeout (in secs) Amount of time (in seconds) that the Cisco WLC attempts to authenticate wireless clients using local EAP after any pair of configured RADIUS servers fail. The valid range is 1 to 3600 seconds, and the default setting is 100 seconds.

Identity Request Timeout (in secs) Amount of time (in seconds) in which the Cisco WLC attempts to send an EAP identity request to wireless clients using local EAP. The valid range is 1 to 120 seconds, and the default setting is 1 second.

Identity request Max Retries Maximum number of times that the Cisco WLC attempts to retransmit the EAP identity request to wireless clients using local EAP. The valid range is 1 to 20 retries, and the default setting is 20 retries.

Dynamic WEP Key Index Key index used for dynamic wired equivalent privacy (WEP). The default setting is 0.

Request Timeout (in secs) Amount of time (in seconds) in which the Cisco WLC attempts to send an EAP request to wireless clients using local EAP. The valid range is 1 to 120 seconds, and the default setting is 1 second.

Request Max Retries Maximum number of times that the Cisco WLC attempts to retransmit the EAP request to wireless clients using local EAP. The valid range is 1 to 120 retries, and the default setting is 20 retries.

Max-Login Ignore Identity Response Number of devices that you can be connected to the Cisco WLC with the same username. You can log in up to eight times from different devices (PDA, laptop, IP phone, and so on) on the same Cisco WLC. The default value is enabled.

EAPOL-Key Timeout Amount of time (in seconds) in which the Cisco WLC attempts to send an EAP key over the LAN to wireless clients using local EAP. The valid range is 1 to 5 seconds, and the default setting is 1 second.

EAPOL-Key Max Retries Maximum number of times that the Cisco WLC attempts to send an EAP key over the LAN to wireless clients using local EAP. The valid range is 0 to 4 retries, and the default setting is 2 retries.


Chapter 6 Security Tab Local EAP Profiles


Local EAP ProfilesChoose SECURITY > Local EAP > Profiles to navigate to the Local EAP Profiles page.

Note Local EAP Profiles is not supported on AP602 OEAP.

This page lists any local EAP profiles that you have configured and specifies their EAP types. You can create up to 24 local EAP profiles. To remove an existing profile, click the blue arrow adjacent the desired profile and choose Remove.


• Profile Name—Profile name.

• LEAP—Check box indicating if Local EAP is enabled. The default is disabled.

• EAP-FAST—Check box indicating if EAP-FAST is enabled. The default is disabled.

• EAP-TLS—Check box indicating if EAP-TLS is enabled. The default is disabled.

• PEAP—Check box indicating if PEAP is enabled. The default is disabled.

Click New to create a new local EAP profile.


Adding Local EAP ProfilesChoose SECURITY > Local EAP > Profiles and then click New to navigate to the Local EAP Profiles > New page.

This page enables you to create a local EAP profile, which specifies the EAP authentication types that are supported on the wireless clients. This page allows you to modify the following settings:

• Profile Name—Name (up to 63 alphanumeric characters; do not include spaces) for your new profile.

After you create a profile, you can edit the parameters from the Editing Local EAP Profiles page.


Editing Local EAP ProfilesChoose SECURITY > Local EAP > Profiles and then click on the profile name to navigate to the Local EAP Profiles > Edit page.

This page enables you to edit a local EAP profile used for authentication:

• LEAP.

• EAP-FAST.


Chapter 6 Security Tab EAP-FAST Method Parameters

• EAP-TLS.

• PEAP—EAP type used for local authentication. Both PEAPv0/EAP-MSCHAPv2 and PEAPv1/EAP-GTC are enabled on the Cisco WLC.

• Local Certificate Required—Setting if you use EAP-FAST and want the device certificate on the Cisco WLC to be used for authentication. If you want to use EAP-FAST with PACs instead of certificates, leave this check box unselected, which is the default setting.

• Client Certificate Required—Setting if you use EAP-FAST and want the wireless clients to send their device certificates to the Cisco WLC in order to authenticate or if you chose EAP-TLS and the client is using a certificate that is generated by a CA. If you want to use EAP-FAST with PACs instead of certificates, leave this check box unselected. The default is disabled.

• Certificate Issuer—Certificates that will be sent to the client, either from Cisco or from another Vendor. The default setting is Cisco.

• Check Against CA Certificates—Setting that you use if you want the incoming certificate from the client to be validated against the CA certificates on the Cisco WLC. The default is enabled.

• Verify Certificate CN Identity—Setting that you use if you want the common name (CN) in the incoming certificate to be validated against the CA certificates’ CN on the Cisco WLC. You must enable this setting when you use an LDAP server as backup database. The default is disabled.

• Check Certificate Date Validity—Setting that you use if you want the Cisco WLC to verify that the incoming device certificate is still valid and has not expired. The default is enabled.

Note Certificate date validity is checked against the current UTC (GMT) time that is configured on the Cisco WLC. The time zone offset will be ignored.


EAP-FAST Method ParametersChoose SECURITY > Local EAP > EAP-FAST Parameters to navigate to the EAP-FAST Method Parameters page.

This page enables you to configure the following EAP-FAST settings if you configured an EAP-FAST profile from the Adding Local EAP Profiles page:

• Server Key (in hex)—Key (in hexadecimal characters) used to encrypt and decrypt PACs.

• Confirm Server Key—Key that you reenter (in hexadecimal characters).

• Time to Live for the PAC—Number of days for the PAC to remain viable. The valid range is 1 to 1000 days, and the default setting is 10 days.

• Authority ID (in hex)—Authority identifier of the local EAP-FAST server in hexadecimal characters. You can enter up to 32 hexadecimal characters, but you must enter an even number of characters.

• Authority ID Information—Authority identifier of the local EAP-FAST server in text format.

• Anonymous Provision—Setting if you want to enable anonymous provisioning. This feature allows PACs to be sent automatically to clients that do not have one during PAC provisioning. If you disable this feature, PACs must be manually provisioned. Disable this feature when you use EAP-FAST with certificates. The default is enabled.


Chapter 6 Security Tab Authentication Priority


Authentication PriorityChoose SECURITY > Local EAP > Authentication Priority to navigate to the Priority Order > Local-Auth page.

This page enables you to specify the order in which user credentials are retrieved from the back-end database servers.

Highlight the desired database from the left User Credentials box.

Use the left and right arrows and the Up and Down buttons to move the desired database to the top of the right User Credentials box.

Note If both LDAP and LOCAL appear in the right User Credentials box with LDAP on the top and LOCAL on the bottom, local EAP attempts to authenticate clients using the LDAP back-end database and fails over to the local user database if the LDAP servers are not reachable. If the user is not found, the authentication attempt is rejected. If LOCAL is on the top, local EAP attempts to authenticate using only the local user database. It does not fail over to the LDAP back-end database.


Priority Order of Management UsersChoose Security > Priority Order > Management User to navigate to the Priority Order > Management User page.

This page enables you to specify the order of authentication when multiple databases are configured:

• Authentication Priority—Choose either Radius or TACACS+ to specify which server has priority over the other when the Cisco WLC attempts to authenticate.

By default, the local database is always queried first. If the username is not found, the Cisco WLC switches to the TACACS+ server if configured for TACACS+ or to the RADIUS server if configured for RADIUS. The default setting is local and then RADIUS.


Local Significant CertificatesChoose SECURITY > Certificate > LSC to navigate to the Local Significant Certificates page.

This page enables you to enable local significant certificates (LSCs) on the Cisco WLC.

Prior to release Cisco WLC 7.0, MAPs supported only the Manufactured Installed Certificate (MIC) for authentication and association with the Cisco WLC. Starting with this release, you can use an LSC if you want your own public key infrastructure (PKI) to provide better security, to have control of your certificate authority (CA), and to define policies, validity periods, restrictions, and usages on the


Chapter 6 Security Tab Local Significant Certificates

generated certificates. After these customer-generated or locally significant certificates (LSCs) are present on the APs and Cisco WLCs, the devices start using these LSCs, to join, authenticate, and derive a session key. Cisco supported normal APs from the Cisco WLC 5.2 release and later releases and extended the support for mesh APs as well from the Cisco WLC 7.0 release.

The LSC is installed on access points and Cisco WLCs. You need to provision the LSC first on the Cisco WLC, which should be configured to communicate with a CA server.

Note Only external dedicated CA servers are supported in this release.

The access point gets a signed X.509 certificate by sending a certRequest to the Cisco WLC. The Cisco WLC acts as a CA proxy and receives the certRequest signed by the CA for the access point.

Note Access points that are configured in bridged mode are not supported.

General TabThis table describes the LSC parameters.



Certificate Type Certificates that are added to the Cisco WLC’s CA certificate database.

To add the CA certificate or device certificate into the Cisco WLC’s CA certificate database, click the blue arrow adjacent the desired certificate type and choose Add.

To remove a certificate, click the blue arrow adjacent the desired certificate type and choose Remove.

Enable LSC on Controller Check box to enable LSC on the Cisco WLC. The default is disabled.


Chapter 6 Security Tab Local Significant Certificates

AP Provisioning TabThis table describes the AP provisioning tab parameters.

CA Server URL URL of the CA server in the following format:

http://url:port/path

The url can be either a domain name or an IP address.

Params Parameters for the device certificate. The keysize is a value from 384 to 2048 (in bits); the default value is 2048. The following parameters are available:

• Country Code—Enter the country code. The country code is a three byte string.

• State—Enter the state. This value can be up to 64 bytes.

• City—Enter the city. The value can be up to 64 bytes.

• Organization—Enter the organization. The value can be up to 64 bytes.

• Department—Enter the department. The value can be up to 64 bytes.

• Email—Enter a valid e-mail address.

• Key Size—Enter the key size. The range includes 360 to 2048 bits. The default is 2048.



Table 6-9 AP Provisioning Tab Parameters


Enable Parameter that enables you to provision the LSC on the access point. Click Update to enable an LSC on the access point. The default is disabled.

Number of attempts to LSC Number of times that the access point attempts to join the Cisco WLC using an LSC before the access point reverts to the default certificate (MIC or SSC). The valid range is 0 to 255, and the default value is 3.

If you set the number of retries to a nonzero value and the access point fails to join the Cisco WLC using an LSC after the configured number of retries, the access point reverts to the default certificate.

If you set the number of retries to 0 and the access point fails to join the Cisco WLC using an LSC, the access point does not attempt to join the Cisco WLC using the default certificate.

Note If you are configuring an LSC for the first time, we recommend that you configure a nonzero value.


Chapter 6 Security Tab Self Significant Certificates


Self Significant CertificatesChoose SECURITY > Certificate > SSC to navigate to the Self Signed Certificates page.

This page enables you to view the Self Signed Certificate of the virtual Cisco WLC and enable hash validation of the SSC certificate by the access points.

Virtual Cisco WLCs use SSC certificates instead of Manufacturing Installed Certificates (MIC) used by physical Cisco WLCs.

You can select the Enable SSC Hash Validation check box to allow an AP to validate the SSC certificate of the virtual Cisco WLC. When an AP validates the SSC certificate, it checks if the hash key of the virtual Cisco WLC matches the hash key stored in its flash. If a match is found, the validation passes and the AP moves to the Run state. If a match is not found, the validation fails and the AP disconnects from the Cisco WLC and restarts the discovery process.

By default, hash validation is enabled. Therefore, an AP must have the virtual Cisco WLC hash key in its flash before associating with the virtual Cisco WLC. If you disable hash validation of the SSC certificate, the AP bypasses the hash validation and directly moves to the run state.

To configure the hash key of the virtual Cisco WLC, choose CONTROLLER > Mobility Management > Mobility Groups, click New and enter the IP address, MAC address, mobility group name, and hash key of the virtual Cisco WLC.

APs can associate with a physical Cisco WLC, download the hash keys and then associate with a virtual Cisco WLC. If the AP is associated to a physical Cisco WLC, if hash validation is disabled, it joins any virtual Cisco WLC without hash validation.

Access Control ListsChoose SECURITY > Access Control Lists > Access Control Lists to navigate to the Access Control Lists page.

This page enables you to view current access control lists (ACLs) that are similar to standard firewall access control lists.

Note You can define up to 64 ACLs with up to 64 rules (filters) per ACL.

• Enable Counters—Check box that you can select to see if packets are hitting any of the ACLs that are configured on your Cisco WLC. The default is unselected.

AP Ethernet MAC Addresses Ethernet MAC address of the access point.

MAC Address Access point MAC addresses.

Table 6-9 AP Provisioning Tab Parameters



Chapter 6 Security Tab Access Control Lists

Note ACL counters are available only on the following Cisco WLCs: Cisco 5500 Series Controller, Cisco 4400 Series Controller, Cisco WiSM, and Catalyst 3750G Integrated Wireless LAN Controller Switch.

• Name—ACL name to open the Editing Access Control Lists page.

• Type—IPv4 or IPv6 ACL.

To remove an existing ACL, click the blue arrow adjacent the desired ACL and choose Remove.

To clear the counters for an ACL, click the blue arrow adjacent the desired ACL and choose Clear Counters.

Guidelines

• Pre-auth ACL must have the following two rules for proper operation:

– One allowing traffic to the DNS server.

– One allowing traffic from the DNS server.

• Beginning in Cisco WLC Release 7.4 and later, DNS traffic is handled based on deny rules defined in the WLAN Pre-Auth ACL.

– If no Pre-Auth ACL is configured and applied, then all DNS packets are allowed to pass to any server.

– If Pre-Auth ACL is configured, but no matching deny rule is configured, then allow all DNS packets to pass to any server.

– If Pre-Auth ACL is configured with a rule to allow DNS traffic to a given server and a rule configured to drop all traffic based on protocol/IP address, then allow DNS to one server only and block all other DNS traffic.

Click New to add a new ACL (see the Adding Access Control Lists topic).


Adding Access Control ListsChoose SECURITY > Access Control Lists > Access Control Lists and then click New to navigate to the Access Control Lists > New page.

• Access Control List Name— ACL name that you can specify.

• Access Control List Type—ACL type as either IPv4 or IPv6.


Editing Access Control ListsChoose SECURITY > Access Control Lists > Access Control Lists and then click on the ACL name to navigate to the Access Control Lists > Edit page.

This page enables you to view and/or change an ACL definition, which is similar to standard firewall ACLs.



Note You can define up to 64 ACLs with up to 64 rules (filters) per ACL.

To remove a rule, click the blue arrow adjacent the desired ACL and choose Remove.

This table describes the current rule parameters.

Table 6-10 Current Rule Parameters


Access List Name Name of the ACL.

Deny Counters Number of times that packets have matched the explicit deny ACL rule.

Note You must enable ACL counters on the Access Control Lists page to enable the Deny Counters.

Sequence Up to 64 rules can be defined for each ACL.



Note Click the sequence number to modify the rule (See the Editing Access Control Lists Rules topic).



Source IP/Mask Any or IPv4 or IPv6 address and netmask. For IPv6 addresses, the prefix length is also displayed.

Destination IP/Mask Any or IPv4 or IPv6 address and netmask. For IPv6 addresses, the prefix length is also displayed.



When the ACL contains one or more ACL rule, click the sequence number to modify the rule on the Editing Access Control Lists Rules page.

Click Add New Rule to add a new rule to an existing ACL.

Editing Access Control Lists RulesChoose SECURITY > Access Control Lists > Access Control Lists, click the ACL name. Click the sequence number of the rule that you want to change to navigate to the Access Control Lists > Rules > Edit page.

This page enables you to change an ACL rule definition.

Note The operating system enables you to define up to 64 ACLs with up to 64 rules (filters) per ACL.

This table describes the rule parameters.





• ICMP—Internet Control Message Protocol











Direction Any, Inbound (from client), or Outbound (to client).

Number of Hits Number of times that packets have matched an ACL rule.

Note This field appears only if you enabled ACL counters on the Access Control Lists page.

Table 6-10 Current Rule Parameters




Table 6-11 Rule Edit Parameters


Sequence Up to 64 rules can be defined for each ACL.


Note If you add or change a sequence number, the operating system adjusts the other rule sequence numbers to retain the contiguous sequence. For instance, if you have sequence numbers 1 through 7 defined and change number 7 to 5, the operating system automatically reassigns Sequence 6 to 7 and sequence 5 to 6.

Source Any or IPv4 or IPv6 address and netmask. For IPv6 addresses, the prefix length is also displayed.

Destination Any or IPv4 or IPv6 address and netmask. For IPv6 addresses, the prefix length is also displayed.

Protocol






• ICMP—Internet Control Message Protocol











Adding Access Control Lists RulesChoose SECURITY > Access Control Lists > Access Control Lists, click the ACL name of an existing ACL, and then click Add New Rule to navigate to the Access Control Lists > Rules > New page.

This table describes the new rule parameters.

Source Port/Destination Port Source/Destination Ports for this ACL:

• Any

• HTTP

• HTTPS

• Telnet

• RADIUS

• DHCP Server

• DHCP Client

• DNS

• L2TP

• PPTF Control

• SMTP

• SNMP

• LDAP

• Kerberos

• NetBIOS NS

• NetBIOS DS

• NetBIOS SS

• MS Dir Server

• Other

• Port Range



Action


Deny or Permit.

Table 6-11 Rule Edit Parameters




Table 6-12 New Rule Parameters




Note If you add or change a sequence number, the operating system adjusts the other rule sequence numbers to retain the contiguous sequence. For instance, if you have sequence numbers 1 through 7 defined and change number 7 to 5, the operating system automatically reassigns sequence 6 to 7 and Sequence 5 to 6.



Protocol














• Other—Any other IANA protocol (Go to IANA’s Website)



Chapter 6 Security Tab CPU Access Control Lists

CPU Access Control ListsChoose SECURITY > Access Control Lists > CPU Access Control Lists to navigate to the CPU Access Control Lists page.

This page enables you to configure and apply an Access Control List (ACL) to the Cisco WLC CPU to control traffic to the CPU.

This table describes the CPU ACL parameters.


FlexConnect ACLsWith FlexConnect ACLs, you can control access at the FlexConnect AP for protection and integrity of locally switched data traffic from the AP. Using the Cisco WLC, you can create FlexConnect ACLs and then configure the FlexConnect ACL with the WLAN using WLAN-ACL mapping. These are then pushed to the AP.

Choose SECURITY > Access Control Lists > FlexConnect ACLs to navigate to the FlexConnect ACLs page.




Table 6-12 New Rule Parameters


Table 6-13 CPU ACL Parameters

Parameter Description Default

Enable CPU ACL Designated ACL that you can enable to control the IPv4 traffic to the Cisco WLC CPU.

Unselected (disabled)

ACL Name Previously configured ACL. To configure an ACL, see Adding Access Control Lists.

If you choose none while the CPU ACL feature is enabled, an error message appears.

none

Enable CPU IPv6 ACL Designated ACL that you can enable to control the IPv6 traffic to the Cisco WLC CPU.

Unselected (disabled)

IPv6 ACL Name Previously configured ACL. To configure an ACL, see Adding Access Control Lists.

If you choose none while the CPU ACL feature is enabled, an error message appears.

none


Chapter 6 Security Tab FlexConnect ACLs

This page enables you to list the ACLs configured for FlexConnect access points. To remove a FlexConnect ACL, click the blue arrow adjacent the desired ACL and choose Remove.

Click New to add a new FlexConnect ACL.

Adding FlexConnect ACLsChoose SECURITY > Access Control Lists > FlexConnect ACLs and click New. The FlexConnect ACL > New page enables you to create an ACL. Enter the FlexConnect ACL name in the Access Control List Name text box.

Click Apply to create the new FlexConnect ACL with the configured name.

Editing Access Control ListChoose SECURITY > FlexConnect ACLs and click the ACL name of an existing ACL to open the Access Control List > Edit page.

This table describes the FlexConnect ACL parameters.



General

Access List Name Name of the FlexConnect ACL.

Seq Up to 64 rules can be defined for each ACL.





Source IP/Mask Any or IPv4 or IPv6 address and netmask. For IPv4 addresses, the netmask is displayed and for IPv6 addresses, the prefix length is displayed.

Destination IP/Mask Any or IPv4 or IPv6 address and netmask. For IPv4 addresses, the netmask is displayed and for IPv6 addresses, the prefix length is displayed.



Click Add a New Rule to add a new rule to an existing ACL .

Adding FlexConnect ACL RulesChoose SECURITY > Access Control List > FlexConnect ACLs to navigate to the FlexConnect Access Control Lists page. Click an ACL name to open the Access Control List > Edit page and click Add New Rule button to create a new ACL Rule.

This table describes the FlexConnect ACL new rule parameters.
















DSCP Any or Specific (from 0 to 63) Differentiated Services Code Point (DSCP). A packet header code that can be used to define quality of service (QoS) across the Internet.









Note If you add or change a sequence number, the operating system adjusts the other rule sequence numbers to retain the contiguous sequence. For instance, if you have sequence numbers 1 through 7 defined and change number 7 to 5, the operating system automatically reassigns sequence 6 to 7 and Sequence 5 to 6.



Protocol
















Chapter 6 Security Tab Rogue Policy

Rogue PolicyChoose SECURITY > Wireless Protection Policies > Rogue Policies > General to navigate to the Rogue Policies page.

This page enables you to select global parameters for rogue access point detection.

Note The Cisco 5500 Series Wireless Controllers support up to 2000 rogues (including acknowledged rogues); the Cisco 4400 Series Wireless Controllers, Cisco WiSM, and Catalyst 3750G Integrated Wireless LAN Controller Switch support up to 625 rogues, and Controller Network Module for Integrated Services Routers support up to 125 rogues. Each Cisco WLC limits the number of rogue containments to three per radio (or six per radio for access points in monitor mode).

Rogue Location Discovery Protocol

The Cisco WLC continuously monitors all nearby access points and automatically discovers and collects information on rogue access points and clients. When the Cisco WLC discovers a rogue access point, it uses the Rogue Location Discovery Protocol (RLDP) to determine if the rogue is attached to your network.

You can configure the Cisco WLC to use RLDP on all access points or only on access points configured for monitor (listen-only) mode. The later option facilitates automated rogue access point detection in a crowded RF space, allowing monitoring without creating unnecessary interference and without affecting regular data access point functionality. If you configure the Cisco WLC to use RLDP on all access points, the Cisco WLC always chooses the monitor access point for RLDP operation if a monitor access point and a local (data) access point are both nearby. If RLDP determines that the rogue is on your network, you can choose to either manually or automatically contain the detected rogue.

Note RLDP is not supported for use with Cisco autonomous rogue access points. These access points drop the DHCP Discover request sent by the RLDP client. Also, RLDP is not supported if the rogue access point channel requires dynamic frequency selection (DFS) on a monitor mode access point.

Rogue PoliciesThis table describes the rogue policy parameters.








Table 6-16 Rogue Policy Parameters


Rogue Detection Security Level Rogue detection security level that you can select:

• Low—Basic rogue detection for small-scale deployments. Auto containment is not supported for this security level.

• High—Basic rogue detection and auto containment for medium-scale or less critical deployments. RLDP is disabled for this security level.

• Critical—Basic rogue detection, auto containment, and RLDP for highly critical deployments.

• Custom—You can configure the rogue policy parameters.

Each security level has preset configurations for each rogue detection security level.

Rogue Location Discovery Protocol RLDP options that you can specify:

• Disable—Disables RLDP. This is the default value. If the rogue detection security level is Low, RLDP is disabled.

• Monitor Mode APs—Enables RLDP only on monitor mode access points. If the rogue detection security level is High, the RLDP mode is set to Monitor Mode APs mode.

• All APs—Enables RLDP on all the access points (monitor mode and data). If the rogue detection security level is Critical, the RLDP mode is All APs.

Note If you configure the Cisco WLC to use RLDP on all the access points, the Cisco WLC always chooses the monitor access point for the RLDP operation if a monitor access point and a local (data) access point are both nearby.

Expiration Timeout for Rogue AP and rogue Client Entries

Number of seconds after which the rogue access point will be taken off the list. The range is from 240 to 3600 and the default value is 1200. The expiration timeout for rogue AP and client entries for each rogue detection security levels are as follows:

• Low—240

• High—1200

• Critical—10

Validate rogue clients against AAA Validation that you can enable using the AAA server or local database to validate if rogue clients are valid clients. The default is disabled. If DNS query is enabled (SECURITY > AAA > RADIUS > DNS), the validation occurs using the RADIUS list from the DNS server.

Validate rogue clients against MSE Validation that you can enable using MSE to validate if rogue clients are valid clients. The default is disabled.

You cannot validate rogue clients against MSE and AAA at the same time.



This table describes the details of rogue containment automatic rate selection.

Detect and report Ad-Hoc Networks Ad-hoc rogue detection and reporting that you can enable or disable. The default value is enabled.

Rogue Detection Report Interval (10 to 300 Sec)

Time interval, in seconds, at which the APs should send the rogue detection report to the Cisco WLC. The default value is 10. The rogue detection report interval for each rogue detection security levels are as follows:

• Low—60

• High—30

• Critical—10

Note This feature is applicable to APs that are in monitor mode only.

Rogue Detection Minimum RSSI (–70 dBm to –128 dBm)

Minimum RSSI value that a rogue should have for the APs to detect and for the rogue entry to be created in the controller. The default value is –128 dBm. The rogue detection minimum RSSI for each rogue detection security levels are as follows:

• Low— –80 dBm

• High— –128 dBm

• Critical— –128 dBm

Note This feature is applicable to all the AP modes.

Rogue Detection Transient Interval Time interval, in seconds, at which a rogue has to be consistently scanned for by the AP after the first time the rogue is scanned. After the rogue is scanned for consistently, updates are sent periodically to the Cisco WLC. The APs filter the transient rogues that are active for a very short period and are then silent. The range is from 120 to 1800. The rogue detection transient interval for each rogue detection security level is as follows:

• Low—120

• High—300

• Critical—600

Note This feature applies to APs that are in monitor mode only.

Rogue Client Threshold Threshold rogue client count after which a trap is sent from the Cisco WLC. Enter 0 to disable the feature. The range is from 1 to 256. The default is disabled. The rogue client threshold for each rogue detection security levels is 0.

Rogue Containment Automatic Rate Selection

Check box that you can select to enable automatic rate selection for rogue containment.

Table 6-16 Rogue Policy Parameters




Auto Contain

If you want the Cisco WLC to automatically contain certain rogue devices, check the following check boxes. Otherwise, leave the check boxes unselected, which is the default value.

Caution When you enable any of these parameters, the following warning appears:

“Using this feature may have legal consequences. Do you want to continue?”

The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.

This table describes the auto contain parameters.

RSSI (dBm) 802.11b/g Tx Rate (Mbps) 802.11a Tx Rate (Mbps)

–74 1 6

–70 2 12

–55 5.5 12

< –40 5.5 18

Table 6-17 Auto Contain Parameters


Auto Containment Level Drop-down list from which you can choose the rogue auto containment level from 1 to 4.

You can choose up to four APs for auto containment when a rogue is moved to a contained state through any of the auto containment policies.

You can also choose Auto for automatic selection of the number of APs used for auto containment. The Cisco WLC chooses the required number of APs based on the RSSI for effective containment.

The RSSI value associated with each containment level is as follows:

• 1—0 to –55 dBm

• 2— –75 to –55 dBm

• 3— –85 to –75 dBm

• 4—Less than –85 dBm

Auto Containment only for Monitor mode APs

Check box that you can select to enable the monitor mode APs for auto containment. The default is disabled.


Chapter 6 Security Tab Rogue Rules


Rogue RulesChoose SECURITY > Wireless Protection Policies > Rogue Policies > Rogue Rules to navigate to the Rogue Rules page.

This page enables you to add new rogue rules and to change the priority of the rogue rules.

Note Rule-based rogue classification does not apply to ad-hoc rogues and rogue clients.

This table describes the rogue rules parameters.

Auto Containment on FlexConnect Standalone

Check box that you can select to enable auto containment on FlexConnect APs in the standalone mode. The default is disabled. When the FlexConnect APs are in the standalone mode, you can enable only the Using our SSID or AdHoc Rogue AP auto containment policies. The containment stops after the standalone AP connects back to the Cisco WLC.

Rogue on Wire Check box that you enable to automatically contain the rogues that are detected on the wired network. The default is disabled.

Using our SSID Check box that you enable to automatically contain those rogues that are advertising your network’s SSID. If you leave this parameter unselected, the Cisco WLC only generates an alarm when such a rogue is detected. The default is disabled.

Valid client on Rogue AP Check box that you enable to automatically contain a rogue access point to which trusted clients are associated. If you leave this parameter unselected, the Cisco WLC only generates an alarm when such a rogue is detected. The default is disabled.

AdHoc Rogue AP Check box that you enable to automatically contain ad-hoc networks detected by the Cisco WLC. If you leave this parameter unselected, the Cisco WLC only generates an alarm when such a network is detected. The default is disabled.

Table 6-17 Auto Contain Parameters


Table 6-18 Rogue Rules Parameters


Rule Name Name of the rogue rule. You can configure a maximum of 64 rogue rules.

Type Whether the rule is Friendly, Malicious, or Custom.

Status Status of the rule: enabled or disabled.



Notify Type of notification upon rule match that is one of the following:

• All—Notifies the Cisco WLC and a trap receiver such as Cisco Prime Infrastructure.

• Global—Notifies only a trap receiver such as Cisco Prime Infrastructure.

• Local—Notifies only the Cisco WLC.

• None—No notifications are sent.

State State of the rogue access point after a rule match. It can be one of the following:

• Alert—The unknown access point is not in the neighbor list or in the user-configured friendly MAC list. The Cisco WLC forwards an immediate alert to the system administrator for further action.

• Contain—The Cisco WLC contains the offending device so that its signals no longer interfere with authorized clients.

• Internal—The unknown access point is inside the network and poses no threat to WLAN security. The Cisco WLC trusts this rogue access point. For example, the access points in your lab network is an internal rogue access point.

• External—The unknown access point is outside the network and poses no threat to WLAN security. The Cisco WLC acknowledges the presence of this rogue access point. For example, the access points that belongs to a neighboring coffee shop are external rogue access points.

• Delete—The rogue access point is deleted from the database when the rogue rule is applied to the rogue access point.

Match Operation Click the Match All radio button to enable the rogue rule only when a detected rogue access point meets all the conditions of the rule.

Click the Match Any radio button to enable the rule when any of the conditions are met.





Enable Rule Check box that you can select to enable a rogue rule.

Condition Drop-down list from which you can choose one or more of the following rogue rule conditions:

• SSID—Requires that a rogue access point have a specific user-configured SSID. If you choose this option, enter the SSID in the User-Configured SSID text box, and click Add SSID. You can configure up to 25 SSIDs per rogue rule.

• RSSI—Requires that a rogue access point have a minimum RSSI value. For example, if the rogue access point has an RSSI that is greater than the configured value, the access point is classified as malicious. If you choose this option, enter the minimum RSSI value in the Minimum RSSI text box. The range is from –95 to –50 dBm (inclusive), and the default value is 0 dBm.

• Duration—Requires that a rogue access point be detected for a minimum period of time. If you choose this option, enter a value for the minimum detection period in the Time Duration text box. The range is from 0 to 3600 seconds (inclusive), and the default value is 0 seconds.

• Client Count—Requires that a minimum number of clients be associated to a rogue access point. For example, if the number of clients associated to a rogue access point is greater than or equal to the configured value, the access point is classified as malicious. If you choose this option, enter the minimum number of clients to be associated to the rogue access point in the Minimum Number of Rogue Clients text box. The range is from 1 to 10 (inclusive), and the default value is 0.

• No Encrytion—Requires that a rogue access point’s advertised WLAN does not have encryption enabled. If a rogue access point has encryption disabled, it is likely that more clients will try to associate to it. No further configuration is required for this option.

• Managed SSID—Requires that a rogue access point’s managed SSID (the SSID configured for the WLAN) be known to the Cisco WLC. No further configuration is required for this option.

• Substring SSID—Requires that a rogue access point have a substring of a user-configured SSID. If you choose this option, enter the substring of the SSID in the User-Configured SSID text box. For example, if you have an SSID as ABCDE, you can specify the substring as ABCD or ABC. You can classify multiple SSIDs with matching patterns. You can configure up to 25 SSID substrings per rogue rule.





• Click Add Rule to add a new rogue rule:

a. Enter a rule name. The rule name cannot contain any spaces.

b. Choose the rule type (Friendly or Malicious) to classify rogue access points that match this rule as friendly or malicious.

c. Click Add.

• Click the rule name to open the Editing Rogue Rules page.

Click Add Rule to add a new rogue rule.

Click Change Priority to change the order in which rogue classification rules are applied.

Editing Rogue RulesChoose SECURITY > Wireless Protection Policies > Rogue Policies > Rogue Rules and click the rule name to navigate to the Rogue Rule > Edit page.

Note Rule-based rogue classification does not apply to ad-hoc rogues and rogue clients.

This page enables you to edit the rogue rule settings.

This table describes the rogue rule parameters.

Table 6-19 Rogue Rule Parameters


Rule Name Name of the rogue rule.

Type Whether the rule is Friendly, Malicious, or Custom.

Notify Type of notification upon rule match that is one of the following:

• All—Notifies the Cisco WLC and a trap receiver such as Cisco Prime Infrastructure.

• Global—Notifies only a trap receiver such as Cisco Prime Infrastructure.

• Local—Notifies only the Cisco WLC.

• None—No notifications are sent.



Conditions

To add conditions to the rogue rule, select the condition from the drop-down list and click Add Condition.

This table describes the rogue rules condition parameters.

State State of the rogue access point after a rule match. It can be one of the following:

• Alert—The unknown access point is not in the neighbor list or in the user-configured friendly MAC list. The Cisco WLC forwards an immediate alert to the system administrator for further action.

• Contain—The Cisco WLC contains the offending device so that its signals no longer interfere with authorized clients.

• Internal—The unknown access point is inside the network and poses no threat to WLAN security. The Cisco WLC trusts this rogue access point. For example, the access points in your lab network is an internal rogue access point.

• External—The unknown access point is outside the network and poses no threat to WLAN security. The Cisco WLC acknowledges the presence of this rogue access point. For example, the access points that belongs to a neighboring coffee shop are external rogue access points.

• Delete—The rogue access point is deleted from the database when the rogue rule is applied to the rogue access point.

Match Operation Rule that you choose:

• Match All—If this rule is enabled, a detected rogue access point must meet all of the conditions specified by the rule in order for the rule to be matched and the rogue to adopt the classification type of the rule.

• Match Any—(Default) If this rule is enabled, a detected rogue access point must meet any of the conditions specified by the rule in order for the rule to be matched and the rogue to adopt the classification type of the rule.

Enable Rule Rule that you enable or disable. The default is disabled.

Severity Score Custom classification severity score. The range is from 1 to 100. This field appears only when you choose Custom rule type.

Classification Name Custom classification name. The name can be up to 32 case-sensitive, alphanumeric characters.This field appears only when you choose Custom rule type.

Table 6-19 Rogue Rule Parameters




To remove a condition, click the blue arrow adjacent the desired condition and choose the Remove link.


Table 6-20 Rogue Rules Condition Parameters


Time Duration (0 to 3600) Requires that the rogue access point be detected for a minimum period of time. If you choose this option, enter a value for the minimum detection period in the Time Duration field.

The range is from 0 to 3600 seconds (inclusive), and the default value is 0 seconds.

Minimum RSSI (-95 to -50) Requires that the rogue access point have a minimum received signal strength indication (RSSI) value. For example, if the rogue access point has an RSSI that is greater than the configured value, the access point could be classified as malicious. If you choose this option, enter the minimum RSSI value in the Minimum RSSI field.

The range is from –95 to –50 dBm (inclusive), and the default value is 0 dBm.

Minimum number of Rogue client (1-10)

Requires that a minimum number of clients be associated to the rogue access point. For example, if the number of clients associated to the rogue access point is greater than or equal to the configured value, the access point could be classified as malicious. If you choose this option, enter the minimum number of clients to be associated to the rogue access point in the Minimum Number of Rogue Clients field.

The range is from 1 to 10 (inclusive), and the default value is 0.

No Encryption Requires that the rogue access point’s advertised WLAN does not have encryption enabled. If a rogue access point has encryption disabled, it is likely that more clients will try to associate to it. No further configuration is required for this option.

Note Prime Infrastructure refers to this option as “Open Authentication.”

Managed SSID1

1. The SSID and Managed SSID conditions cannot be used with the Match All operation because these two SSID lists are mutually exclusive. If you define a rule with Match All and have these two conditions configured, the rogue access points are never classified as friendly or malicious because one of the conditions can never be met.

Requires that the rogue access point’s managed SSID (the SSID configured for the WLAN) be known to the Cisco WLC. No further configuration is required for this option.

User configured SSID1 Requires that the rogue access point have a specific user-configured SSID. If you choose this option, enter the SSID in the User Configured SSID field, and click Add SSID. You can add multiple SSIDs.

To remove an SSID, select the SSID and click Remove.


Chapter 6 Security Tab Friendly Rogues

Priority of Rogue RulesChoose SECURITY > Wireless Protection Policies > Rogue Policies > Rogue Rules and click Change Priority to navigate to the Rogue Rules > Priority page.

This page enables you to change the order in which rogue classification rules are applied.

Highlight the rule for which you want to change the priority, and click Up to raise its priority in the list or Down to lower its priority in the list.

Continue to move the rules up or down until the rules are in the desired order.


Friendly RoguesChoose SECURITY > Wireless Protection Policies > Rogue Policies > Friendly Rogue to navigate to the Friendly Rogue page.

This page enables you to classify any rogue access points as friendly and add them to the friendly MAC address list.

To classify a rogue rule, follow these steps:

Step 1 In the MAC Address text box, enter the MAC address of the friendly rogue access point.


Step 3 Click Save Configuration to save your changes.

This access point is added to the Cisco WLC’s list of friendly access points and appears on the Friendly Rogue APs page.


Standard SignaturesChoose SECURITY > Wireless Protection Policies > Standard Signatures to access the Standard Signatures page.

This page enables you to view standard signature information:

• Enable Check for All Standard and Custom Signatures—Check box to enable if you want to allow all signatures (both standard and custom) whose individual states are set to Enabled to remain enabled. The default is enabled. When the signatures are enabled, the access points joined to the Cisco WLC perform signature analysis on the received 802.11 data or management frames and report any discrepancies to the Cisco WLC.

If you unselect this check box, all signatures are disabled, even the ones whose individual states are set to Enabled.

• Precedence—Precedence Order Number.


Chapter 6 Security Tab Standard Signatures

• Name—Name of the signature.

• Frame Type—Type of frame, such as Management or Data.

• Action—Type of action to take, such as report.

• State—Whether the state is enabled or disabled.

• Description—Text description of the signature, such as “Broadcast Deauthentication Frame.”

Click the precedence order number to view more detailed information. See the Standard Signature Details topic.

Standard Signature DetailsChoose SECURITY > Wireless Protection Policies > Standard Signatures to navigate to the Standard Signatures page. Click the precedence order number to access the Standard Signature > Detail page. This page enables you to view detailed signature information:

• Precedence—Precedence order number.

• Name—Name of the signature, such as Bcast deauth.


• Frame Type—Management or Data.

• Action—None or Report.

• Measurement Interval (sec)—Number of seconds that must elapse before the signature frequency threshold is reached within the configured interval. The range is 1 to 3600 seconds, and the default value varies per signature.

• Tracking—Tracking method used by the access points to perform signature analysis and report the results to the Cisco WLC. The possible values are as follows:

– Per Signature—Signature analysis and pattern matching are tracked and reported on a per-signature and per-channel basis.

– Per MAC—Signature analysis and pattern matching are tracked and reported separately for individual client MAC addresses on a per-channel basis.

– Per Signature and MAC—Signature analysis and pattern matching are tracked and reported on a per-signature and per-channel basis as well as on a per-MAC-address and per-channel basis.

• Signature Frequency—Number of matching packets per interval that must be identified at the individual access point level before an attack is detected. The range is 1 to 32,000 packets per interval, and the default value varies per signature.

• Signature MAC Frequency—Number of matching packets per interval that must be identified per client per access point before an attack is detected. The range is 1 to 32,000 packets per interval, and the default value varies per signature.

• Quiet Time (secs)—Length of time (in seconds) after which no attacks have been detected at the individual access point level and the alarm can stop. The range is 60 to 32,000 seconds, and the default value varies per signature.

• State—Whether this signature to detect security attacks is enabled or disabled. The default value is enabled (or checked).

Patterns

• Offset—Offset, in bytes, from the start of the packet header or body based on the value of the preceding <offsetStart> where the pattern match operation is to be performed.


Chapter 6 Security Tab Custom Signatures

• Pattern—Hexadecimal string that starts with '0x'. It must have an even number of ASCII characters. For example, 0xaabbcc is OK, but 0xaab is not.

• Mask—Mask is a hexadecimal string that starts with '0x'. It must have an even number of ASCII characters. For example, 0xaabbcc is OK, but 0xaab is not.

Custom SignaturesChoose SECURITY > Wireless Protection Policies > Custom Signatures to access the Custom Signatures page.

• Enable Check for All Standard and Custom Signatures—Check box to enable or disable signatures (both standard and custom) whose individual states are set to Enabled to remain enabled. The default is enabled. When the signatures are enabled, the access points joined to the Cisco WLC perform signature analysis on the received 802.11 data or management frames and report any discrepancies to the Cisco WLC.

If you unselect this check box, all signatures are disabled, even the ones whose individual states are set to Enabled.


• Name—Name of the custom signature.

• Frame Type—Frame type, such as Management, or data.

• Action—Type of action to take, such as report.


• Description—Text description of the signature.

Custom Signature DetailsChoose SECURITY > Wireless Protection Policies > Custom Signatures, and then click Detail to access this page. This page enables you to view detailed signature information:


• Name—Name of the signature, such as Bcast deauth.


• Frame Type—Management or Data.

• Action—None or Report.

• Measurement Interval (sec)—Interval in seconds.

• Signature Frequency—Packet match frequency in packets/interval.

• Signature MAC Frequency—Packet match frequency in packets/interval.

• Quiet Time (secs)—Interval in seconds.


Signature Patterns

• Offset—Offset, in bytes, from the start of the packet header or body based on the value of the preceding <offsetStart> where the pattern match operation is to be performed.


Chapter 6 Security Tab Signature Events Summary

• Pattern—Hexadecimal string that starts with '0x'. It must have an even number of ASCII characters. For example, 0xaabbcc is OK, but 0xaab is not.

• Mask—Hexadecimal string that starts with '0x'. It must have an even number of ASCII characters. For example, 0xaabbcc is OK, but 0xaab is not.

Signature Events SummaryChoose SECURITY > Wireless Protection Policies > Signature Events Summary to access the Signature Events Summary page.

This table describes the signature events summary parameters.

.

Click the signature type to view more detailed information. See the Signature Events Summary Details topic.

Signature Events Summary DetailsChoose SECURITY > Wireless Protection Policies > Signature Events Summary, and click the signature type to access the Signature Events Summary Details page.

This table describes the signature events summary parameters.

Table 6-21 Signature Events Summary Parameters


Signature Type Management or data.

Precedence Precedence order number.

Signature Name Name of the standard or custom signature.

# Events Number of attack event occurrences for that particular signature.

Table 6-22 Signature Events Summary Parameters





Source MAC Address MAC address of the attacking client radio.

Track Method Tracking method AP used to track the signature attacks per signature, source MAC, or both.

Frequency Packet match frequency in packets/interval (50 per signature and 30 Per MAC tracking method).

# APs Number of radio interfaces/APs on the channel that detected the attack.

Last Heard Latest time stamp at which the radio interface/AP detected the attack.


Chapter 6 Security Tab Client Exclusion Policies

Click Detail to view more detailed information. See the Signature Event Track Details topic.

Signature Event Track DetailsChoose SECURITY > Wireless Protection Policies > Signature Events Summary and then click the Signature Type to access the Signature Event Track Details page.

This table describes the signature event detail parameters.

Client Exclusion PoliciesChoose SECURITY > Wireless Protection Policies > Client Exclusion Policies to access the Client Exclusion Policies page.

This page enables you to configure the Cisco WLC to exclude clients under certain conditions:

• Excessive 802.11 Association Failures—Clients are excluded on the sixth 802.11 association attempt, after five consecutive failures.

• Excessive 802.11 Authentication Failures—Clients are excluded on the sixth 802.11 authentication attempt, after five consecutive failures.

• Excessive 802.11X Authentication Failures—Clients are excluded on the fourth 802.1X authentication attempt, after three consecutive failures.

• IP Theft Or Reuse—Clients are excluded if the IP address is already assigned to another device.

• Excessive Web Authentication Failures—Clients are excluded on the fourth web authentication attempt, after three consecutive failures.

Table 6-23 Signature Event Detail Parameters





Source MAC Address MAC address of the attacking client radio.

Track Method Tracking method AP used to track the signature attacks per signature, source MAC, or both.

Frequency Packet match frequency in packets/interval (50 per signature and 30 per MAC tracking method).

# APs Number of radio interfaces/APs on the channel that detected the attack.

AP MAC Address Radio MAC address of the AP that detected the attack.

AP Name Hostname of the AP.

Radio Type 802.11a or 802.11g.

Channel Radio channel number.

Last Reported by this AP Time stamp at which the AP reported the attack earlier.


Chapter 6 Security Tab AP Authentication


AP Authentication Choose SECURITY > Wireless Protection Policies > AP Authentication to access the AP Authentication Policy page.

This page enables you to set access point authentication policies:

When you enable the AP authentication feature, the access points sending RRM neighbor packets with different RF network names are reported as rogues.

When you enable Infrastructure Management Frame Protection (MFP), it is enabled globally for the Cisco WLC. You can enable or disable Infrastructure MFP validation for a particular access point (All APs Details) or protection for a particular WLAN (Editing WLANs) if MFP is enabled globally for the Cisco WLC.

• Protection Type—None, AP Authentication, or Management Frame Protection. Management Frame Protection is the default if AP Authentication was not previously configured and is the preferred method for authenticating access points.

Note This setting does not affect Client MFP, which is configured per WLAN.

• Alarm Trigger Threshold—AP Authentication sets the number of hits to be ignored from a foreign access point before an alarm is raised. The valid range is from 1 to 255; the default value is 255.


Management Frame Protection SettingsChoose SECURITY > Wireless Protection Policies > Management Frame Protection to navigate to the Management Frame Protection page.

General Parameters

Click General from the left navigation pane to access the Management Frame Protection Settings > General page.

This table describes the MFP general parameters.


Chapter 6 Security Tab Web Login Page

WLAN Parameters

Click WLAN from the left navigation pane to access the Management Frame Protection Settings > WLANs page.


Web Login PageChoose SECURITY > Web Auth > Web Login to navigate to the Web Login page.

This page enables you to customize the content and appearance of the Login page for guest users and all others. It allows you to personalize the login page with a company logo, graphics, colors, type styles, a welcome message, any terms and conditions, and so on.

The login page is shown the first time that you access the WLAN if Web Authentication is turned on (under WLAN Security Policies). Cisco provides a default web login page that can be modified with any text-based HTML editor. However, the User Name and Password fields should not be changed, and the Submit method should be retained. After you create the customized web login page, you must make it into a tar file that contains the page code and any images desired, and then upload to the Cisco WLC through the TFTP server as a Webauth Bundle (see the Download File to Controller page).

Note For Cisco 5500 Series Wireless Controllers, and Cisco WLC network modules, you must configure a preauthentication access control list (ACL) on the WLAN for the external web server and then choose this ACL as the WLAN preauthentication ACL under Security Policies > Web Policy on the Editing WLANs page.

This table describes the web login page parameters.



Management Frame Protection Disabled/Enabled (globally).

Note This MFP status represents the status of the Cisco MFP and not the status of 802.11w, introduced in Release 7.4

Controller Time Source Valid True (time is set externally [for example, NTP]).

False (time is set locally).

Table 6-25 WLAN Parameters


WLAN-ID Unique identifier.

WLAN Name Unique identifier.

WLAN Status Enabled/Disabled.

Infrastructure Protection Enabled/Disabled.

Shows if MFP infrastructure protection is enabled for individual WLANs.



Commands

• Preview—Views either the default page, the customized web login page you created, or the landing page on the external server if that Web Auth option is chosen.

Table 6-26 Web Login Page Parameters


Web Authentication Type Internal (Default); Customize (Downloaded); External (Redirect to external server). Enable this last option and enter the URL if you want to use a customized login page configured on your web server for web authentication, instead of the default web authentication page provided by the Cisco WLC. The maximum length is 254 characters.

Note Your web server should be on a different network from the Cisco WLC service port network.

If you are using a custom web-auth bundle that is served by the internal Cisco WLC web server, the page should not contain more than 5 elements (including HTML, CSS, and Images) because the internal Cisco WLC web server implements a DoS protection mechanism that limits each client to open a maximum of 5 (five) concurrent TCP connections depending on the load. Some browsers may try to open more than 5 TCP sessions at the same time (For example Firefox 4) if the page contains more elements and this may result in the page loading slowly depending on how the browser handles the DoS protection.

If you have a complex custom web authentication module, we recommend that you use an external web-auth config on the Cisco WLC, where the full login page is hosted at an external web server.

For more information, see the External Web Authentication topic.

Redirect URL after login URL that you want the user to be redirected after a login. For example, you may enter your company’s URL here and the users will be directed to that URL after login. The maximum length is 254 characters. By default, the user is redirected to the URL that was entered in the user’s browser before the login page was served.

Headline Login page headline. For example, “Welcome to Cisco Wireless Network.” The maximum length is 127 characters.

Message Login page message. For example, “Please enter your user name and password” or “This page will not be available from 1:00 Hrs to 2:00 today due to maintenance.” The maximum length is 2047 characters.

External Web Server IP address of the external web server if used.

Preview button Ability to view either the default page, the customized web login page you created, or the landing page on the external server if that Web Auth option is chosen.

Apply button Button that you click after previewing your web login page selection. If you have selected a customized (downloaded) page, you will be prompted to ensure that you have downloaded a customized web authentication bundle to the system (Cisco WLC) before applying the setting. If not, this selection fails.



• Apply—Selects a Customized (Downloaded) page, and displays a message asking you to make sure that you have downloaded a customized web authentication bundle to the system (Cisco WLC) before applying the setting. If you do not save, this selection fails.

External Web AuthenticationThe following steps describe how external web authentication works.

Step 1 When you open a web browser with a URL, it is verified for authentication. If it is not authenticated, the Cisco WLC forwards the request to the Cisco WLC web server to collect authentication details.

Step 2 The Cisco WLC web server then redirects you to the external web server URL that leads you to a login page. At this point, you are also allowed to access the Walled Garden sites (Walled Garden sites are a group of websites that users can browse before they are authenticated on to your wireless network).

Note If you are using an external web server with a Cisco 5500 Series Controller or a Cisco WLC network module, you must configure a preauthentication ACL on the WLAN for the external web server. This ACL should then be set as a WLAN preauthentication ACL under the Web Policy.

Step 3 The login request is sent back to the action URL of the Cisco WLC web server. The Cisco WLC web server submits the username and password for authentication.

Step 4 The Cisco WLC application initiates the RADIUS server request and authenticates you.

Step 5 If successful, the Cisco WLC web connects the client and the Cisco WLC web server forwards you to the configured redirect URL or to the initially requested URL.

Step 6 If user authentication fails, the Cisco WLC web server redirects you to the URL of the user login page.

Cisco Support for External Web Authentication

The Cisco support for external web authentication is as follows:

• External Web Authentication login URL—The Cisco WLC allows you to configure the login URL by using a flag to turn on the External Web Authentication mode. If this flag is configured, you are redirected to the customized login page instead of Cisco’s default Web Authentication page.

• CLI commands for External Web Authentication—The following commands are available for configuring external web authentication:

custom-web ext-webauth-url <url> custom-web ext-webauth-mode enable

• Provide AP MAC address—The Cisco WLC web server appends the MAC address of the AP with which you are associated with the external webauth URL.

• Provide the connect back URL—The external webauth URL is appended with the Cisco WLC web server URL that can be used by you to connect back and forward the user credentials.



Template for Customer Login Page

You can use the login page template provided by Cisco to develop your own login screen. The template contains the following:

• Hidden attribute names that enable the Cisco WLC to authenticate the user.

• A JavaScript function that extracts the AP MAC address and the redirected URL from the query string.

• A function that sets your web auth page’s action URL.

Based on the AP MAC address, you can change your login page using scripts or display a message to the user.

The HTML code for the customer login page template is as follows:

<html><head><meta http-equiv="Pragma" content="no-cache"><meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"><title>Web Authentication</title><script>

function submitAction(){var link = document.location.href;var searchString = "redirect=";var equalIndex = link.indexOf(searchString);var redirectUrl = "";if(equalIndex >= 0) {

equalIndex += searchString.length;redirectUrl = "http://";redirectUrl += link.substring(equalIndex);

}if(redirectUrl.length > 255)redirectUrl = redirectUrl.substring(0,255);document.forms[0].redirect_url.value = redirectUrl;

document.forms[0].buttonClicked.value = 4;document.forms[0].submit();

}

function loadAction(){var url = window.location.href;var args = new Object();var query = location.search.substring(1);var pairs = query.split("&");for(var i=0;i<pairs.length;i++){

var pos = pairs[i].indexOf('=');if(pos == -1) continue;var argname = pairs[i].substring(0,pos);var value = pairs[i].substring(pos+1);args[argname] = unescape(value);

}//alert( "AP MAC Address is " + args.ap_mac);//alert( "The controller URL is " + args.switch_url);document.forms[0].action = args.switch_url;

}

</script></head><body topmargin="50" marginheight="50" onload="loadAction();"><form method="post"><input TYPE="hidden" NAME="buttonClicked" SIZE="16" MAXLENGTH="15" value="0">


Chapter 6 Security Tab Web Authentication Certificate

<input TYPE="hidden" NAME="redirect_url" SIZE="255" MAXLENGTH="255" VALUE=""><input TYPE="hidden" NAME="err_flag" SIZE="16" MAXLENGTH="15" value="0">

<div align="center"><table border="0" cellspacing="0" cellpadding="0"><tr> <td> </td></tr>

<tr align="center"> <td colspan="2"><font size="10" color="#336699">Web Authentication</font></td></tr>

<tr align="center">

<td colspan="2"> User Name <input type="TEXT" name="username" SIZE="25" MAXLENGTH="63" VALUE=""></td></tr><tr align="center" ><td colspan="2"> Password <input type="Password" name="password" SIZE="25" MAXLENGTH="24"></td></tr>

<tr align="center"><td colspan="2"><input type="button" name="Submit" value="Submit" class="button" onclick="submitAction();"></td></tr></table></div>

</form></body></html>

Web Authentication CertificateChoose SECURITY > Web Auth > Certificate to navigate to the Web Authentication Certificate page.

This page enables you to view the current web authentication certificate type, download an SSL certificate, or regenerate a new locally generated web auth certificate.

Note The operating system automatically generates a fully functional web authentication certificate as it is loaded onto your Cisco WLC, which means that you do not have to do anything to use certificates with Layer 3 web authentication.

However, if you would like to use a new operating system-generated web authentication certificate, click Regenerate Certificate. The operating system generates a new web auth certificate and displays a “Successfully generated Web Authentication Certificate” message. Reboot the Cisco WLC to register the new certificate.

If you prefer to use an externally generated web authentication certificate, verify that the Cisco WLC can ping the TFTP server, check the Download SSL Certificate check box, and fill in the following parameters:

• Server IP address.

• Maximum Retries—Maximum number of times each download can be attempted.


Chapter 6 Security Tab TrustSec SXP

• Timeout—Amount of time allowed for each download.

• Certificate File Path—Usually “/” so the TFTP software can use its default directory.

• Certificate File Name—Web authentication certificate filename in encrypted .PEM (Privacy Enhanced Mail) format.

• Certificate Password.

Note The TFTP server cannot run on the same computer as the Cisco WCS, because the Cisco WCS and the TFTP server use the same communication port.

Caution Each certificate has a variable-length embedded RSA key. The RSA key length varies from 512 bits, which is relatively insecure, to thousands of bits, which is very secure. When you are obtaining a new certificate from a Certificate Authority (such as the Microsoft CA), make sure the RSA key embedded in the certificate is at least 768 bits.

When you have filled in the required information, click Apply and the operating system collects the new certificate from the TFTP server. Reboot the Cisco WLC to register the new certificate.


Click Regenerate Certificate to direct the operating system to internally generate a new Web Authentication certificate.

TrustSec SXPYou can use the SGT Exchange Protocol (SXP) to propagate the security group tags (SGTs) across network devices that do not have hardware support for Cisco TrustSec. The SXP sends SGT information to the CTS-enabled switches so that appropriate role-based access control lists (RBACLs) can be activated depending on the role information represented by the SGT. By default, the Cisco WLC is always in the Speaker mode. To implement the SXP on a network, only the egress distribution switch needs to be CTS-enabled, and all the other switches can be non-CTS-capable switches.

The SXP runs between any access layer and distribution switch or between two distribution switches. The SXP uses TCP as the transport layer. CTS authentication is performed for any host (client) joining the network on the access layer switch similar to an access switch with CTS-enabled hardware. The access layer switch is not CTS hardware enabled. Therefore, data traffic is not encrypted or cryptographically authenticated when it passes through the access layer switch. Also, the hardware cannot insert the SGT into the packet. The SXP is used to pass the IP address of the authenticated device, that is a wireless client, and the corresponding SGT up to the distribution switch. If the distribution switch is CTS hardware enabled, the switch inserts the SGT into the packet on behalf of the access layer switch. If the distribution switch is not CTS hardware enabled, the SXP on the distribution switch passes the IP-SGT mapping to all the distribution switches that have CTS hardware. On the egress side, the enforcement of the RBACL occurs at the egress L3 interface on the distribution switch.

SXP ConfigurationChoose SECURITY > TrustSec SXP to navigate to the SXP Configuration page.


Chapter 6 Security Tab Local Policies

This table describes the TrustSec SXP parameters.

This page also displays the following SXP Connection information:

• Peer IP Address—The IP address of the peer, that is the IP address of the next hop switch to which the Cisco WLC is connected.

• Source IP Address—The IP address of the source, that is the management IP address of the Cisco WLC.

• Connection Status—Status of the SXP connection.

Click New to create a new SXP connection.

Local PoliciesChoose SECURITY > Local Policies to navigate to the Policy List page.

This page enables you to configure the device-based policies on the Cisco WLC. You can configure policies for a user or a device on the network. The maximum number of policies that you can configure is 64. Click the name of the policy to navigate to the Edit page and update the parameters. For more information, see Configuring Policies.

Table 6-27 TrustSec SXP Parameters


Total SXP Connections Total number of SXP connections configured.

SXP State Status of SXP connections as either disabled or enabled.

SXP Mode SXP mode of the Cisco WLC. The Cisco WLC is always set to the Speaker mode in SXP connections.

Default Password Password for MD5 authentication of SXP messages We recommend that the password contain a minimum of 6 characters.

Default Source IP IP address of the management interface.

The default source IP address for all SXP connections is the management IP address of the Cisco WLC. The source IP address cannot be configured.

Retry Period The SXP retry timer. The default value is 120 seconds (2 minutes). The valid range is 0 to 64000.

The SXP retry period determines how often the Cisco TrustSec software retries an SXP connection. When an SXP connection is not successfully set up, the Cisco TrustSec software makes a new attempt to set up the connection after the SXP retry period timer expires. Setting the SXP retry period to 0 seconds disables the timer and retries are not attempted.


Chapter 6 Security Tab Local Policies

Click New to add a new policy.

Configuring PoliciesChoose SECURITY > Local Policies and click the name of the policy to navigate to the Edit page. You can define parameters under Match Criteria and specify the policy action for the client. Policies applied on AP groups have more priority than those applied on WLANs.

Note Policies are not applied on WLANs and AP groups if AAA Override is configured on the Cisco WLC.

To apply the configured policies on a WLAN, choose WLAN, click the WLAN ID to navigate to the Edit page, and click the Policy-Mapping tab. You can configure up to 16 policies on a WLAN.

To apply the configured policies on an AP group, choose WLAN > Advanced > AP Groups , click the AP Group name to navigate to the Edit page, and click the WLAN tab. You can configure up to 16 policies on an AP group.

This table describes the policy parameters.

Table 6-28 Policy Parameters


Policy Name Name of the policy.

Policy ID Unique identifier of the policy

Match Criteria

Match Role String User type or user group of the user, for example, student, employee, and so on.

Match EAP Type EAP authentication method used by the client. The available methods are as follows:

• LEAP

• EAP-FAST

• EAP-TLS

• PEAP

Device Type Drop-down list from which you can choose a type of device. Click Add to add the device to the policy device list.

Device List Devices configured for the policy.

Action

IPv4 ACL Drop-down list from which you can choose an IPv4 ACL for the policy.

VLAN ID VLAN associated with the policy.


Chapter 6 Security Tab Cisco Intrusion Detection System

Cisco Intrusion Detection SystemCisco WLCs are equipped with sensors to detect intrusion attempts by unauthorized clients. These intruders are added to a shun list, which is forwarded to all Cisco mobility groups. A Renew flag is used to indicate that the Cisco WLC receiving the shun list should remove all entries from the sending Cisco WLC before processing the received list.

In a scenario where the primary Cisco WLC that has a connection to a Cisco Intrusion Detection System sensor is rebooted and some entries on this Cisco Intrusion Detection System sensor have expired, the first query after a reboot should renew and synchronize the newly acquired shun list from this Cisco Intrusion Detection System sensor in the mobility group.

The querying Cisco WLC compares the newly acquired shun list with its local list every time. If a new entry is found, it should be included in the next mmCidsUpdate. If an entry is removed in the new list, it sends this entry in the next mmCidsUpdate with Remaining Minutes set to zero. If the Remaining Minutes are set to zero, the receiving Cisco WLC removes this entry from the shun list.

QoS Policy Drop-down list from which you can choose the QoS policy that can be one of the following:


• Gold (Video)—Supports high-quality video applications.


• Bronze (Background)—Provides the lowest bandwidth for guest services.

Session Timeout Maximum amount of time, in seconds, before a client is forced to reauthenticate. The default value is 0.

Sleeping Client Timeout Maximum amount of time, in hours, after the idle timeout before a guest client is forced to reauthenticate. The default value is 12. The range is from 1 to 720.

Flexconnect ACL Drop down list from which you can choose the Fexconnect ACL for the policy.

AVC Profile Drop down box lists all the configured AVC profiles on the controller for selection.

Active Hours

Day Day of the week on which the policy is active.

Start Time Start time of the policy.

End Time End time of the policy.

Table 6-28 Policy Parameters



Chapter 6 Security Tab Cisco Intrusion Detection System

Cisco Intrusion Detection System Sensors ListChoose SECURITY > Advanced > CIDS > Sensors to navigate to the Cisco Intrusion Detection System Sensors List page.

This table describes the Cisco Intrusion Detection System Sensors List parameters.

Adding Cisco Intrusion Detection System SensorsChoose SECURITY > Advanced > CIDS > Sensors > New to navigate to the Cisco Intrusion Detection System Sensor Add page.

This table describes the Cisco Intrusion Detection System Sensor Add parameters.

Table 6-29 Cisco Intrusion Detection System Sensors List Parameters


Index Typically 1.

Server Address URL of the CIDS sensor server.

Port Typically 443.

State State that is either enabled or disabled

Query Interval To be specified in seconds.

Table 6-30 Cisco Intrusion Detection System Sensor Add Parameters


Index Index value from the drop-down list.

Server Address URL of the Cisco Intrusion Detection System sensor server.

Port SNMP port number. The default is 443.

Username Name that the Cisco WLC uses to authenticate to the IDS sensor.

Note This username must be configured on the IDS sensor and have at least a read-only privilege.

Password Password that the Cisco WLC uses to authenticate to the IDS sensor.

Confirm Password Password that you reenter so that the Cisco WLC can authenticate to the IDS sensor.

Query Interval Interval in seconds.

State State that allows you to enable to register the Cisco WLC with this IDS sensor. The default is disabled.

Fingerprint (SHA1 hash) 40 hexadecimal characters.


Chapter 6 Security Tab CA Certification

Editing Cisco Intrusion Detection System SensorsChoose SECURITY > Advanced > CIDS > Sensors and then click the index number to navigate to the Cisco Intrusion Detection System Sensor Edit page.

This table describes the Cisco Intrusion Detection System Sensor Edit parameters.

Cisco Intrusion Detection System Shun ListChoose SECURITY > Advanced > CIDS > Sensors > Shunned Clients to navigate to the Cisco Intrusion Detection System Shun List page.

This table describes the CIDS shun list parameters.

Re-sync—Purges and resets the list.

CA CertificationChoose SECURITY > Advanced > Vendor Certs > CA Certificate to navigate to the CA Certification page.

Table 6-31 Cisco Intrusion Detection System Sensor Edit Parameters


Index Configured index number.

Server Address URL of the CIDS sensor server.

Port SNMP port number. The default is 443.

Username Name that the Cisco WLC uses to authenticate to the IDS sensor.

Password Password that the Cisco WLC uses to authenticate to the IDS sensor.

State Check box that enables you to enable or disable the state. The default is disabled.

Query Interval Interval in seconds.

Fingerprint (SHA1 hash) 40 hexadecimal characters.

Last Query (count) Unknown (0) when disabled.

Table 6-32 CIDS Shun List Parameters


IP Address URL of the Cisco WLC Shun List sensor.

Last MAC Address MAC address of the Shun List sensor.

Expire Time remaining until expiration of the current list.

Sensor IP/Index Cisco WLC sensor IP and index number.


Chapter 6 Security Tab ID Certificate

This page contains the current CA certificate information. If you choose to add an operator-generated or purchased CA Certificate, paste the new CA certificate ASCII text into the certificate box and click Apply.



Click Delete Certificate to delete the current CA Certification. You are prompted to confirm if you select this option.

ID CertificateChoose SECURITY > Advanced > Vendor Certs > ID Certificate to navigate to this page.

This page summarizes existing network ID certificates by the ID certificate name and valid period. An ID certificate can be used by web server operators to ensure secure server operation.


Click New to add a new ID certificate.

Adding ID CertificatesChoose SECURITY > Advanced > Vendor Certs > ID Certificate and then click New to navigate to the New ID Certificate page.


This page enables you to add new ID certificates, in addition to the factory-supplied ID certificate. For each new ID certificate, add the following:

• Certificate Name—Certificate name that you can specify.

• Certificate Password—Certificate password (private key).

• Certificate—New ID certificate ASCII text into the Certificate box.



Chapter 6 Security Tab ID Certificate


C H A P T E R 7
Management Tab
This tab on the menu bar enables you to access the Cisco WLC management details. Use the left navigation pane to access specific management parameters. Making this selection from the menu bar opens the Summary page.

You can access the following pages from the Management tab:

• Summary

• SNMP V3 Users

• SNMP v1/v2c Community

• SNMP Trap Receiver

• SNMP Trap Controls

• SNMP Trap Logs

• HTTP-HTTPS Configuration

• Telnet-SSH Configuration

• Serial Port Configuration

• Local Management Users

• Guest User Accounts

• CLI Sessions

• Syslog Configuration

• Message Logs

• Management Via Wireless

• Installing and Configuring Licenses

• Licenses

• License Detail

• License Level

• License Commands

• System Resource Information

• Controller Crash Information

• Core Dump

• AP Crash Logs


Chapter 7 Management Tab Summary

SummaryChoose MANAGEMENT > Summary to navigate to the Summary page. This page displays the network summary.

This table describes the management summary parameters.

SNMP System SummaryChoose MANAGEMENT > SNMP > General to navigate to the SNMP System Summary page. This page enables you to change some of the SNMP system parameters.

This table describes the SNMP system parameters.



SNMP Protocols SNMP protocols supported.

Syslog Log of system events.

HTTP Mode Access mode for web and secure web.

HTTPS Mode Status of the HTTPS Secure Shell (SSL) interface that uses secure certificate authentication.

New Telnet Sessions Allowed Whether or not additional Telnet sessions are permitted.

New SSH Sessions Allowed Whether or not additional SSH-enabled sessions are permitted.

Management via Wireless Whether Cisco WLC management from a wireless client is enabled or disabled.

Table 7-2 SNMP System Parameters


Name Customer-definable name of the Cisco WLC.

Location Customer-definable Cisco WLC location.

Contact Customer-definable contact details.

System Description Read-only Cisco WLC description.

System Object ID Read-only object ID.

SNMP Port Number Read-only SNMP port number.

Trap Port Number Definable trap port number; the default value is 162.

SNMP v1 Mode SNMP v1 mode that you can enable or disable; the default is disabled.

SNMP v2c Mode SNMP v2c mode that you can enable or disable; the default is enabled.

This parameter should be modified if remote management is desired.

SNMP v3 Mode SNMP v3 mode that you can enable or disable; the default is enabled.

This parameter should be modified if remote management is desired.


Chapter 7 Management Tab SNMP V3 Users


SNMP V3 UsersChoose MANAGEMENT > SNMP > SNMP V3 Users to navigate to the SNMP V3 Users page. This page provides a summary of the SNMP users.

This table describes the SNMP user summary parameters.

To remove a user profile, click the blue arrow adjacent the desired profile and choose Remove. You are prompted for confirmation of the user removal.

Click New to add a new SNMP user (see the Adding SNMP V3 Users topic).

Adding SNMP V3 UsersChoose MANAGEMENT > SNMP > SNMP V3 Users and then click New to navigate to the SNMP V3 Users > New page. This page provides a summary of the SNMP users.

This table describes the SNMP user details parameters.

If you select an authentication or privacy protocol, you must enter a password for each.


Table 7-3 SNMP User Summary Parameters

Parameter Range

User Name Name of the user profile.

Access Level Read-only or read-write.

Auth Protocol None, HMAC-MD5, or HMAC-SHA.

Privacy Protocol None, CBC-DES, or CFB-AES-128.

Table 7-4 SNMP User Details Parameters

Parameter Range

User Profile Name Name of the user profile.

Access Mode Read-only or read-write.

Authentication Protocol None, HMAC-MD5, or HMAC-SHA (default).

For HMAC-MD5 or HMAC-SHA, enter and confirm an authentication password.

Privacy Protocol None, CBC-DES, or CFB-AES-128 (default).

For CBC-DES, enter and confirm a Privacy Password.


Chapter 7 Management Tab SNMP v1/v2c Community

SNMP v1/v2c CommunityChoose MANAGEMENT > SNMP > Communities to navigate to the SNMP v1 / v2c Community page.

Edit a user profile by choosing Edit (see the Editing SNMP v1/v2c Community topic).

To remove a community, click the blue arrow adjacent the desired community and choose Remove. You are prompted to confirm the removal of the community. This page provides a summary of the SNMP community.

This table describes the SNMP community summary parameters.

Table 7-5 SNMP Community Summary Parameters

Parameter Range

Community Name Community string to which this entry grants access. A valid entry is a case-sensitive, alphanumeric string of up to 16 characters. Each row of this table must contain a unique community name.

IP Address (IPv4/IPv6) IP address from which this device accepts SNMP packets with the associated community. An AND operation is performed between the requesting entity’s IP address and the subnet mask before being compared to the IP address.

From Release 8.0, SNMP community supports IPv4 and IPv6.

Note If the subnet mask is set to 0.0.0.0, an IP address of 0.0.0.0 matches all IP addresses. The default value is 0.0.0.0.

IP Mask/Prefix Length The subnet mask/ prefix length assigned to IPv4/IPv6 address

Mask that must be an operand in the AND operation with the requesting entity’s IP address before the IP addresses are compared. If the IP addresses match, then the address is an authenticated IP address.

For example, if the IP address is 9.47.128.0 and the corresponding subnet mask is 255.255.255.0, a range of incoming IP addresses would match. The incoming IP address could equal 9.47.128.0 to 9.47.128.255. The default value is 0.0.0.0.

Access Mode Access level for this community string. This mode may be specified by choosing read/write or read only from the drop-down list.

Status Status of this community access entry. When this object is set to enabled, if the community name for this row is not unique among all valid rows, the set request is rejected.

IPSec Parameters

IPSec Check box to enable IPSec for the SNMP community.

IPSec Auth Displays the IP security authentication protocol used.

IPSec Encryption Displays the IP security encryption mechanism used.

IKE Phase 1 Displays the Internet Key Exchange protocol (IKE) used.




Click New to add a new community user profile (see the Adding SNMP v1/v2c Community topic).

Adding SNMP v1/v2c CommunityChoose MANAGEMENT > SNMP Communities and then click New to navigate to the SNMP v1 / v2c Community > New page. This page enables you to add a new SNMP community profile.

Note There is no IPSec support for IPv6.


Lifetime (Seconds) Displays the timeout interval for the session expiry. The default is 28800 seconds.

IKE Diffie Hellman Group

Displays the IKE Diffie Hellman Group.

Diffie-Hellman techniques are used by two devices to generate a symmetric key where they can publicly exchange values and generate the same symmetric key. Although all the three groups provide security from conventional attacks, Group 5 is considered more secure because of its larger key size. However, computations involving Group 1 and Group 2 keys might occur slightly faster because of their smaller prime number size.

Auth Method IPsec authentication method that can be PSK or Certificate.

Shared Key Format Format of the shared secret that you set to either ASCII of Hex.

Shared Secret RADIUS Server login Shared Secret.

Confirm Shared Secret RADIUS Server login Shared Secret.


Parameter Range


Parameter Range







IP Mask/Prefix Length The subnet mask/ prefix length assigned to IPv4/IPv6 address.

Mask that must be the AND operand with the requesting entity’s IP address before the IP addresses are compared. If the IP addresses match, then the address is an authenticated IP address.

For example, if the IP address is 9.47.128.0 and the corresponding subnet mask is 255.255.255.0, a range of incoming IP addresses would match, that is, the incoming IP address could equal 9.47.128.0 to 9.47.128.255. The default value is 0.0.0.0.

Note For IPv6 input, enter Prefix Length.

Access Mode Access level for this community string. This mode, may be specified by selecting read/write or read-only from the drop-down list.

Status Status of this community access entry. When this object is set to enabled, if the community name for this row is not unique among all valid rows, the set request is rejected. Community names may be made invalid by choosing disable.

IPSec Parameters

IPSec Check box that allows you to enable or disable the IP Security mechanism. If you enable this option, the IP Security Parameters fields are displayed.


IPSec Auth Set the IP security authentication protocol to be used. Options are as follows:

• HMAC-SHA1

• HMAC-MD5


IPSec Encryption IP security encryption mechanism to be used. Options are as follows:

• DES —Data Encryption Standard that uses a private data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data.

• Triple DES—Data Encryption Standard that applies three keys in succession.

• AES CBS—Advanced Encryption Standard that uses keys with a length of 128, 192, or 256 bits to encrypt blocks with a length of 128, 192, or 256 bits. AES 128 CBC uses 128 bit data path in Cipher Clock Chaining (CBC) mode.


Parameter Range




Editing SNMP v1/v2c CommunityChoose MANAGEMENT > SNMP Communities and then click Edit to navigate to the SNMP v1 / v2c Community > Edit page.

IKE Phase 1 Internet Key Exchange protocol (IKE). Options are as follows:

• Aggressive

• Main


Lifetime (Seconds) Set the timeout interval for the session expiry. The default is 28800 seconds.

IKE Diffie Hellman Group Set the IKE Diffie Hellman Group. The options are as follows:

• Group 1 (768 bits)





Diffie-Hellman techniques are used by two devices to generate a symmetric key where they can publicly exchange values and generate the same symmetric key. Although all the four groups provide security from conventional attacks, Group 14 is considered most secure because of its larger key size. However, computations involving Group 1, Group 2, and Group 5 keys might occur slightly faster because of their smaller prime number size. The default value is Group 1.

Auth Method IPsec authentication method that can be PSK or Certificate.Shared Secret Format—Format of the shared secret that you set to either ASCII of Hex.

Shared Secret Format Format of the shared secret that you set to either ASCII of Hex.

Shared Secret/Confirm Shared Secret

RADIUS server login Shared Secret.


Parameter Range



This page allows you to enable or disable an SNMP community profile. All fields are read-only except the Status text box.




Parameter Range





IP Mask/Prefix Length The subnet mask/ prefix length assigned to IPv4/IPv6 address.

Mask that must be the AND operand with the requesting entity’s IP address before the IP addresses are compared. If the IP addresses match, then the address is an authenticated IP address.

For example, if the IP address is 9.47.128.0 and the corresponding subnet mask is 255.255.255.0, a range of incoming IP addresses would match, that is, the incoming IP address could equal 9.47.128.0 to 9.47.128.255. The default value is 0.0.0.0.

Note For IPv6 input, enter Prefix Length.

Access Mode Access level for this community string. This mode may be specified by selecting read/write or read-only from the drop-down list.

Status Status of this community access entry. When this object is set to enabled, if the community name for this row is not unique among all valid rows, the set request is rejected. Community names may be made invalid by choosing disable.

IPSec Parameters

IPSec Check box that allows you to enable or disable the IP Security mechanism. If you enable this option, the IP Security Parameters fields are displayed.




IPSec Auth Set the IP security authentication protocol to be used. Options are as follows:

• HMAC-SHA1

• HMAC-MD5


IPSec Encryption IP security encryption mechanism to be used. Options are as follows:

• DES —Data Encryption Standard that uses a private data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data.

• Triple DES—Data Encryption Standard that applies three keys in succession.

• AES CBS—Advanced Encryption Standard that uses keys with a length of 128, 192, or 256 bits to encrypt blocks with a length of 128, 192, or 256 bits. AES 128 CBC uses 128 bit data path in Cipher Clock Chaining (CBC) mode.

IKE Phase 1 Internet Key Exchange protocol (IKE). Options are as follows:

• Aggressive

• Main


Lifetime (Seconds) Set the timeout interval for the session expiry. The default is 28800 seconds.


Parameter Range


Chapter 7 Management Tab SNMP Trap Receiver


SNMP Trap ReceiverChoose MANAGEMENT > SNMP > Trap Receivers to navigate to the SNMP Trap Receiver page.

Edit a user profile by choosing Edit (see the Editing SNMP Trap Receivers topic).

Remove a user profile by choosing Remove. You are prompted for confirmation of the trap removal. This page provides a summary of existing SNMP trap receivers.

This table describes the SNMP trap receiver summary parameters.

IKE Diffie Hellman Group

Set the IKE Diffie Hellman Group. The options are as follows:






Diffie-Hellman techniques are used by two devices to generate a symmetric key where they can publicly exchange values and generate the same symmetric key. Although all the four groups provide security from conventional attacks, Group 14 is considered most secure because of its larger key size. However, computations involving Group 1, Group 2, and Group 5 keys might occur slightly faster because of their smaller prime number size. The default value is Group 1.

Auth Method IPsec authentication method that can be PSK or Certificate.Shared Secret Format—Format of the shared secret that you set to either ASCII of Hex.

Shared Secret Format Format of the shared secret that you set to either ASCII of Hex.

Shared Secret/Confirm Shared Secret

RADIUS server login Shared Secret.


Parameter Range

Table 7-8 SNMP Trap Receiver Summary Parameters

Parameter Range

Community Name Name of the server where the traps are sent.


Chapter 7 Management Tab SNMP Trap Receiver

Click New to add a new trap receiver (see the Adding SNMP Trap Receivers topic).

Adding SNMP Trap ReceiversChoose MANAGEMENT > SNMP > Trap Receivers and then click New to navigate to the SNMP Trap Receiver > New page.

This page enables you to add a server to receive SNMP traps from this Cisco WLC.

This table describes the SNMP trap receiver detail parameters.



Editing SNMP Trap ReceiversChoose MANAGEMENT > SNMP > Trap Receivers and then click the Community Name to edit an SNMP trap receivers and its IPSec details.


This page enables you to configure sending traps to a particular server. Only the Status text box can be modified.


IP Address (IPv4/IPv6) IP address of the server. From Release 8.0, SNMP trap receiver support IPv4 and IPv6.

Status Status that must be enabled for the SNMP traps to be sent to the server.

Table 7-8 SNMP Trap Receiver Summary Parameters

Parameter Range

Table 7-9 SNMP Trap Receiver Detail Parameters

Parameter Range

Community Name Name of the server where the traps are sent.

IP Address (IPv4/IPv6) IP address of the server. From Release 8.0, SNMP trap receiver support IPv4 and IPv6.

Status Status that you must enable for the SNMP traps to be sent to the receiver. The default is enabled.


Chapter 7 Management Tab SNMP Trap Controls

SNMP Trap ControlsChoose MANAGEMENT > SNMP > Trap Controls to navigate to the SNMP Trap Controls page.

This page enables you to select which traps logs should be captured. Choose the applicable logs and choose Apply.

Note Select the Select All check box to enable all traps on a tab. Unselect the Select All check box to disable all traps on a tab.

General TabThis table describes the SNMP trap control parameters.

Client TabThis table describes the client tab parameters.


Trap Name Description

Link (Port) Up/Down Port changes status from up or down.

Spanning Tree1

1. The Cisco 5500 Series Controllers do not support the Spanning Tree Protocol.

Spanning tree traps. Refer to the STP specifications for descriptions of individual parameters.

Config Save Notification sent when the configuration is modified.

RFID Limit Reached Notification sent when the number of RFID tags on the Cisco WLC exceeds the threshold limit defined in the Threshold field.

Threshold Threshold number of the RFID tags on the Cisco WLC to trigger a trap.

Table 7-11 Client Tab Parameters


802.11 Association Associate notification sent when the client sends an association frame.

802.11 Disassociation Disassociate notification sent when the client sends a disassociation frame.

802.11 Deauthentication Deauthenticate notification sent when the client sends a deauthentication frame.

802.11 Failed Authentication

Authenticate failure notification sent when the client sends an authentication frame with a status code other than successful.

802.11 Failed Association

Associate failure notification sent when the client sends an association frame with a status code other than successful.

Exclusion Associate failure notification sent when a client is Exclusion Listed (blacklisted).



AP TabThis table describes the AP tab parameters.

Security TabThis table describes the security tab parameters.

Authentication Authentication notification sent when a client is successfully authenticated.

Max Clients Limit Reached

Notification sent when the maximum number of clients, defined in the Threshold field, have been associated with the Cisco WLC.

NAC Alert Alert that is sent when a client joins an SNMP NAC-enabled WLAN. This notification is generated when clients on NAC-enabled SSIDs complete Layer 2 authentication. This trap is to inform the NAC appliance about the client's presence.

Association with Stats Associate notification sent with data statistics when a client associates with the Cisco WLC or roams. The data statistics include transmitted and received bytes and packets.

Disassociation with Stats Disassociate notification sent with data statistics when a client disassociates from the Cisco WLC. The data statistics include transmitted and received bytes and packets, SSID, and session ID.

Table 7-11 Client Tab Parameters


Table 7-12 AP Tab Parameters


AP Register Notification sent when the access point associates or disassociates with the Cisco WLC.

AP Interface Up/Down Notification sent when the access point interface (802.11a/n or 802.11b/g/n) status changes to up or down.

AP Authorization AP authorization that you can enable or disable. The default is enabled.

AP SSID Key Conflict Notification sent when two SSIDs on an AP have the same cipher key.

AP Mode Change Notification sent when the access point mode changes.

AP Time Sync Failure Notification sent when the heartbeat (for example, 60s) between the Cisco WLC and the AP is lost or the connection breaks.

Table 7-13 Security Tab Parameters


AAA Traps

User Authentication Trap to inform that a client RADIUS authentication failure has occurred.



Auto RF TabThis table describes the auto RF tab parameters.

RADIUS Servers Not Responding

Trap to indicate that no RADIUS server(s) are responding to authentication requests sent by the RADIUS client.

802.11 Security Traps

WEP/WPA Decrypt Error Trap to inform that an error has occurred while a WEP/WPA entity is being decrypted.

IDS Signature Attack IDS Signature attack that you can enable or disable. The default is enabled.

Rogues

Rogue AP Trap that is sent with its MAC address whenever a rogue access point is detected. When a rogue access point that was detected earlier no longer exists, this trap is sent.

Adjacent Channel Rogue Notification sent when a rogue AP is detected in the adjacent channels and if it has been removed from the network.

Management Traps

SNMP Authentication SNMPv2 entity that has received a protocol message that is not properly authenticated.

Multiple Users Two users that log in with the same login ID.

Strong Password Strong password check that you enable or disable.

Table 7-13 Security Tab Parameters


Table 7-14 Auto RF Tab Parameters


Auto RF Profile

Load Profile Notification sent when the Load Profile state changes between PASS and FAIL.

Noise Profile Notification sent when the Noise Profile state changes between PASS and FAIL.

Interference Profile Notification sent when the Interference Profile state changes between PASS and FAIL.

Coverage Profile Notification sent when the Coverage Profile state changes between PASS and FAIL.

Auto RF Update Traps

Channel Update Notification sent when the access point’s dynamic channel algorithm is updated.

Tx Power Update Notification sent when the access point’s dynamic transmit power algorithm is updated.



Mesh TabThis table describes the mesh tab parameters.




Child Excluded Parent Notification sent when the child access point marks a parent access point for exclusion. When the child fails to authenticate at the Cisco WLC after a fixed number of times, the child marks the parent for exclusion. The child remembers the excluded MAC address and informs the Cisco WLC when it joins the network. The child access point marks the MAC address and excludes it for the time determined by MAP node so that it does not try to join this excluded node. The child MAC address is sent as part of the index.

Parent Change Notification sent when a child moves to another parent. The alarm includes the MAC addresses of the former and current parents.

Authfailure Mesh Notification sent when the access point tries to join the mesh but fails to authenticate because it is not in the MAC filter list. The trap contains the MAC address of the AP that failed authorization.

Child Moved Notification sent when the parent access point loses connection with its child.

Excessive Parent Change Notification sent when the number of parent changes for a given mesh access point exceeds the threshold. Each access point keeps count of the number of parent changes within a fixed time. If the count exceeds the threshold defined by c1MeshExcessiveParentChangeThreshold, then the child access point informs the Cisco WLC.

Excessive Children Notification sent when the child count of an access point exceeds 10 (default) children. RAP and MAP need to be handled separately. RAP allows more than 10 (default) children up to 20 (default) children.

Poor SNR Notification sent when the child access point detects a signal-to-noise ratio (SNR) below 12 dB on the backhaul link. The alarm includes the SNR value and the MAC addresses of the parent and child.

Console Login Notification sent when a login on the MAP console is successful or when a failure occurs after three attempts.

Excessive Association Notification sent when the MAP access point associates more than 5 times within 60 minutes.

Default Bridge Group Name

Notification sent when a MAP mesh node joins parent using the “default” bridge group name.

Excessive Hopcount Notification sent when the number of hops from the Mesh access point (MAP) node to the root access point (RAP) exceeds the threshold defined by clMeshExcessiveHopCountThreshold.

Secondary Backhaul Change

Notification sent when the MAP changes the backhaul from primary to secondary.


Chapter 7 Management Tab SNMP Trap Logs

SNMP Trap LogsChoose MANAGEMENT > SNMP > Trap Logs to navigate to the Trap Logs page.

This page enables you to view the trap logs that have been captured by the Cisco WLC. Each trap entry includes the log number, system time, and trap description.

This page also displays the number of traps since the last reset and number of traps since log last viewed.

Note Review the following client reason and status codes. You are likely to encounter them when reviewing the trap logs.

Client Reason Code DescriptionsThis table describes the client reason code parameters.

Client Status Code DescriptionsThis table describes the client status code parameters.

Table 7-16 Client Reason Code Parameters

Client Reason Code Description Meaning

0 noReasonCode Normal operation.

1 unspecifiedReason Client associated but no longer authorized.

2 previousAuthNotValid Client associated but not authorized.

3 deauthenticationLeaving Access point went offline; deauthenticating the client.

4 disassociationDueToInactivity Client session timeout exceeded.

5 disassociationAPBusy Access point is busy.

6 class2FrameFromNonAuthStation Client attempted to transfer data before it was authenticated.

7 class2FrameFromNonAssStation Client attempted to transfer data before it was associated.

8 disassociationStaHasLeft Operating system moved the client to another access point using nonaggressive load balancing.

9 staReqAssociationWithoutAuth Client not authorized yet; still attempting to associate with an access point.

99 missingReasonCode Client momentarily in an unknown state.


Chapter 7 Management Tab HTTP-HTTPS Configuration

Click Clear Log to delete all log entries. You are prompted for confirmation to delete the logs.

HTTP-HTTPS ConfigurationChoose MANAGEMENT > HTTP-HTTPS to navigate to the HTTP-HTTPS Configuration page.

This page enables you to configure the following settings for Web Mode or Secure Web Mode:

• HTTP Access—HTTP Web User Interface that is accessible using a login and password. If you disable HTTP Web Mode, you must enable Secure Web Mode or you must use the CLI or Cisco Wireless Control System interface to configure the Cisco WLC. If you disable Web Mode and Secure Web Mode, you must use the CLI interface to configure the Cisco WLC.

• HTTPS Access—HTTPS Secure Shell (SSL) interface that is accessible using secure certificate authentication (configured below). This is the default access. If you disable HTTPS Secure Web Mode, you must enable Web Mode or you must use the CLI or Cisco Wireless Control System interface to configure the Cisco WLC.

• Web Session Timeout—Amount of inactivity (in minutes) before the session times out.

• Current Certificate—Name, Type, Serial Number, Valid, Subject Name, Issuer Name, MD5 Fingerpoint, and SHA1 Fingerpoint.

• Download SSL Certificate—Certificate that you use to download an SSL Web Admin Certificate from a local TFTP server. Select the Download SSL Certificate check box to display the following entries:

– Server IP Address—IP address of the local TFTP server.

– Maximum Retries—Maximum number of times each download can be attempted.

– Timeout—Amount of time allowed for each download.

– Certificate File Path—Usually either \ or /, as most TFTP servers automatically determine the path to their default file location. Otherwise, use the TFTP server absolute file path.

Table 7-17 Client Status Code Parameters

Client Status Code Description Meaning

0 idle Normal operation; no rejections of client association requests.

1 aaaPending Completing an AAA transaction.

2 authenticated 802.11 authentication is completed.

3 associated 802.11 association is completed.

4 powersave Client is in powersave mode.

5 disassociated 802.11 disassociation is completed.

6 tobedeleted Client is deleted after disassociation.

7 probing Client not associated or authorized yet.

8 disabled Automatically disabled by the operating system for an operator-defined time.


Chapter 7 Management Tab Telnet-SSH Configuration

– Certificate File Name—Web Administration Certificate filename in encrypted PEM (Privacy Enhanced Mail) format.

– Certificate Password—SSL certificate password that is used to decrypt the SSL Web Admin Certificate.

Note The TFTP server cannot run on the same computer because the Cisco Prime Infrastructure and the TFTP server use the same communication port.


Click Apply and Yes to download the SSL Web Admin Certificate. The operating system informs you of the file transfer and the certificate installation progress.

The SSL password decrypts the certificate, and the certificate is used for Secure Web Mode access when activated.

Note You must save the configuration changes and reboot the Cisco WLC after changing the SSL certificate.

Click Apply to send data or a download SSL certificate request to the Cisco WLC, but the result is not preserved across a power cycle; these parameters are stored temporarily in volatile RAM.

Click Delete Certificate to instruct the operating system to delete the current SSL certificate.

Click Regenerate Certificate to instruct the operating system to generate a new SSL certificate to replace any existing certificate; the Web User Interface displays the “Successfully Generated SSL Web Admin Certificate” message when done.

Telnet-SSH ConfigurationChoose MANAGEMENT > Telnet-SSH to navigate to the Telnet-SSH Configuration page.

Note Only FIPS approved algorithm 128-cbc is supported when using SSH to control WLANs.

This page enables you to modify the following settings for Telnet accessibility to the Cisco WLC:

• Session Timeout (minutes)—Number of minutes that a Telnet session is allowed to remain inactive before being logged off. A zero means there is no timeout. The timeout may be specified as a number from 0 to 160. The default is 5 minutes.

• Maximum Number of Telnet Sessions—Values from 0 to 5. This object indicates the number of simultaneous Telnet sessions allowed. The default is 5.

• Allow New Telnet Sessions—Whether new Telnet sessions are not allowed on the DS port when set to no. The default is no.


Chapter 7 Management Tab Serial Port Configuration

Note New Telnet sessions are allowed or disallowed on both the DS (network) port and the Service port using the Allow New Telnet Sessions parameter.

• Allow New SSH Sessions—Whether new Secure Shell Telnet sessions are not allowed when set to no. The default value is yes.


Serial Port ConfigurationChoose MANAGEMENT > Serial Port to navigate to the Serial Port Configuration page. This page enables you to modify configurable serial session properties.

This table describes the serial port configuration parameters.


Local Management UsersChoose MANAGEMENT > Local Management Users to navigate to the Local Management Users page.

This page lists current management user logins on the Cisco WLC and the users’ access privileges.

You may remove a user account by click the blue arrow adjacent the desired account and choose Remove.

Table 7-18 Serial Port Configuration Parameters


Serial Port Login Timeout (Seconds)

Time, in minutes, of inactivity on a serial port connection, after which the Cisco WLC closes the connection.

Any numeric value between 0 and 160 is allowed.

The default is 5. A value of 0 disables the timeout.

Baud Rate (bps) Default baud rate at which the serial port tries to connect.

The available values are 1200, 2400, 4800, 9600, 19200, 38400, 57600, and 115200 baud. The default is 9600 baud.

Character Size (bits)

Number of bits in a character. 8 (read-only).

Flow Control Whether hardware flow control is enabled or disabled.

Disabled (read-only).

Stop Bits Number of stop bits per character. 1 (read-only).

Parity Parity method used on the serial port. None (read-only).


Chapter 7 Management Tab Local Management Users

Caution Removing the default admin user prohibits both web and CLI access to the Cisco WLC. Therefore, you must create a user with administrative (read/write) privileges before you remove the default user.

• Click New to add a new management user (see the Adding Local Management Users topic).

Adding Local Management UsersChoose MANAGEMENT > Local Management Users and then click New to navigate to the Local Management Users > New page.

This page enables you to add management user accounts on the Cisco WLC and the user’s access privileges.

Note The settings for the Management User Details parameters depends on the settings that you make in the Password Policy page. The following requirements are enforced on the password:

• The password should contain characters from at least three of the following classes: lowercase letters, uppercase letters, digits, and special characters.

• No character in the password can be repeated more than three times consecutively.

• The password should not contain a management username or the reverse letters of a username.

• The password should not contain words like Cisco, oscic, admin, nimda, or any variant obtained by changing the capitalization of letters by substituting 1, |, or ! or substituting 0 for o or substituting $ for s.

This table describes the management user details parameters.


Table 7-19 Management User Details Parameters


User Name Login username.

Password User password. The default is admin.

Confirm Password User password that you confirm. The default is admin.

User Access Mode User privilege assignment (Read-Only, Read-Write, or Lobby Admin) that you create for Guest User Accounts.

Telnet Capable Check box that you can select to enable local management users to Telnet to the Cisco WLC. By default, this feature is enabled. You must enable global Telnet to enable this feature. SSH connection is not affected when you enable this option.


Chapter 7 Management Tab Local Management Users

Guest User AccountsThe first step in creating guest user accounts is for the system administrator to set up a lobby administrator account, also known as a Lobby Ambassador account. A Lobby Ambassador account has limited configuration privileges and has access only to the pages that are used to configure and manage guest user accounts. This feature enables a nontechnical person to create and manage guest user accounts on the Cisco WLC.

A guest user account can provide a user account for a limited amount of time. The Lobby Ambassador is able to configure a specific time frame for the guest user account to be active. After the specified time period, the guest user account automatically expires.

To create a guest user account, log out of the Cisco WLC and log back in again as Lobby Administrator. You will view the guest user accounts you create on the Cisco WLC (and all others) on the local net user’s page (see the Local Net Users topic).

Lobby Ambassador Account Setup

Step 1 Go to Management > Local Management Users > New.

Step 2 Create a username for the Lobby Ambassador account and enter it in the User Name text box.

Step 3 Create a password for the Lobby Ambassador account and enter it in the Password text box.

Step 4 Reenter the Lobby Ambassador account password in the Confirm Password text box.

Step 5 Select LobbyAdmin in the User Access Mode box.

Step 6 Click Apply. The Local Management Users page opens and displays all registered users, including the new username that you just created, identified as LobbyAdmin. You may create additional new users from this page, or remove any except the admin user.

Adding Guest User Accounts

Step 1 Log into the Cisco WLC user as Lobby Ambassador.

Step 2 Click Configure > Controller Templates to display the NTP Server Templates page.

Step 3 From the left navigation, choose Security, and then choose Guest Users to display the Guest Users page.

Step 4 From the Select a Command drop-down list, choose Add Template and click GO.

Step 5 On the Guest User > New Template page, follow these steps to add a new guest user account:

a. Enter the guest username. The maximum is 24 characters.

b. Select the check box to generate an automatic password or enter a password. If you enter a password, enter it twice to confirm. The generated password is automatically entered into the password text box.

Note Passwords are case sensitive.

c. From the drop-down list, choose an SSID (WLAN Service Set Identifier). The SSID that this guest user applies must be a WLAN that has a Layer 3 web authentication policy configured. Your administrator can advise which SSID to use.

d. Enter a description of the guest user account.


Chapter 7 Management Tab CLI Sessions

e. From the drop-down list, choose days, hours, or minutes for the lifetime of this guest user account. The maximum is 30 days. A value of zero (0) implies infinity and will be a permanent account.

Step 6 Click Save to save your changes or click Cancel to leave the settings unchanged. When you click Save, the screen refreshes and includes the following:

• Save—Save your changes.

• Apply to Controllers—The Apply to Controller page appears. Select the check box for the Cisco WLC or Config Group name that the guest user account applies to and click OK. If you do not want to apply to Cisco WLCs, click Cancel. If you click OK, the Apply to Controllers page refreshes and shows the operation status. If the operation status shows as successful, the guest user account has been completed and can be used immediately.

• The Account Expiry page displays the Cisco WLC to which the guest user account was applied and the seconds remaining before the guest user account expires.

• Delete—Deletes the displayed guest user template.

• Cancel—Disregards any settings or changes.

CLI SessionsChoose MANAGEMENT > User Sessions to navigate to the CLI Sessions page. This page provides a list of open CLI sessions.

This table describes the management user details parameters.

To stop an existing Telnet session, click the blue arrow adjacent the desired session and choose Close.

Syslog ConfigurationChoose MANAGEMENT > Logs > Config to navigate to the Syslog Configuration page.

This page enables you to configure system logs.

If you enable system logs, enter the IP address of the server to which to send the syslog messages and click Add. You can add up to three syslog servers to the Cisco WLC. The list of syslog servers that have already been added to the Cisco WLC appears below this field.

Table 7-20 CLI Session Details Parameters


ID Session identification.

User Name Login username.

Login Type Telnet or serial session.

Connection From Name of the client computer system or the physical port.

Idle time Elapsed inactive session time.

Session Time Elapsed active session time.


Chapter 7 Management Tab Syslog Configuration

Syslog ServerThis table describes the syslog server parameters.

Table 7-21 Syslog Server Parameters


Syslog Server IP Address (IPv4/IPv6)

Enter the IPv4/ IPv6 address of the Syslog server address.

Note You can only add a maximum of 3 Syslog servers.


Chapter 7 Management Tab Syslog Configuration

Syslog Level Severity level for filtering syslog messages to the syslog servers:

• Emergencies—Severity level 0

• Alerts—Severity level 1 (default value)

• Critical—Severity level 2

• Errors—Severity level 3

• Warnings—Severity level 4

• Notifications—Severity level 5

• Informational—Severity level 6

• Debugging—Severity level 7

Note If you set a logging level, only those messages whose severity is equal to or less than that level are logged by the Cisco WLC. For example, if you set the logging level to Warnings (severity level 4), only those messages whose severity is between 0 and 4 are logged.

Syslog Facility Facility for outgoing syslog messages to the syslog servers:

• Kernel—Facility level 0

• User Process—Facility level 1

• Mail—Facility level 2

• System Daemons—Facility level 3

• Authorization—Facility level 4

• Syslog—Facility level 5 (default value)

• Line Printer—Facility level 6

• USENET—Facility level 7

• Unix-to-Unix Copy—Facility level 8

• Cron—Facility level 9

• FTP Daemon—Facility level 11

• System Use 1—Facility level 12




• Local Use 0—Facility level 16








Table 7-21 Syslog Server Parameters



Chapter 7 Management Tab Message Logs

Msg Log ConfigurationThis table describes the message log configuration parameters.


Message LogsChoose MANAGEMENT > Logs > Message logs to navigate to the Message Logs page.

This page enables you to view the message logs that have been captured by the Cisco WLC, by the last to the first message. Each trap entry includes the system time, filename and line, message type and message.

Click Clear to purge the existing message log..

Management Via WirelessChoose MANAGEMENT > Mgmt Via Wireless to navigate to the Management Via Wireless page. This page enables you to configure access to the Cisco WLC management interface from wireless clients using IPv4 and IPv6 methods. The default is disabled.

Note Due to IPsec limitations, the Management Via Wireless feature is available only if you log in across WPA, Static WEP, or VPN Pass Through WLANs. The Management feature is not available if you attempt to log on through an IPsec WLAN.

Table 7-22 Msg Log Configuration Parameters


Buffered Log Level Severity level for logging messages to the Cisco WLC buffer and console:

• Emergencies—Severity level 0

• Alerts—Severity level 1

• Critical—Severity level 2

• Errors—Severity level 3 (default value)

• Warnings—Severity level 4

• Notifications—Severity level 5

• Informational—Severity level 6

• Debugging—Severity level 7

• Disable—Disable console logging

Console Log Level

File Info Information about the source file.The default is enabled.

Trace Info Traceback information. The default is disabled.


Chapter 7 Management Tab Installing and Configuring Licenses


Installing and Configuring LicensesYou can order Cisco 5500 Series Controllers with support for 12, 25, 50, 100, 250 or 500 access points as the Cisco WLC’s base capacity. You can add additional access point capacity through capacity adder licenses available at 25, 50, 100, and 250 access point capacities. You can add the capacity adder licenses to any base license in any combination to arrive at the maximum capacity of 500 access points. The base and adder licenses are supported through both rehosting and RMAs.

Note These Cisco WLC platforms do not require licenses: Cisco 4400 Series Controllers, Cisco WiSMs, Controller Network Modules, and Catalyst 3750G Integrated Wireless LAN Controller Switches.

Note All features included in a Wireless LAN Controller Wplus license are now included in the base license; this change is introduced in release 6.0.196.0. There are no changes to WCS BASE and PLUS licensing.

The base license supports the standard base software set and, for 6.0196.0 and later releases, the premium software set is included as part of the base feature set, which includes this functionality:

• Datagram Transport Layer Security (DTLS) data encryption for added security across remote WAN and LAN links.

About the availability of data DTLS for the 7.0.116.0 release:

– Cisco 5500 Series Controller—The Cisco 5500 Series Controller will be available with two licensing options: one with data DTLS capabilities and another image without data DTLS.

– Cisco 7500, 2500, WiSM2, WLC2—These platforms by default will not contain DTLS. To turn on data DTLS, a license must be installed. That is, these platforms will have a single image with data DTLS turned off. To use data DTLS you must have a license.

• Support for OfficeExtend Access Points, which are used for secure mobile telecommuting. For more information about OfficeExtend access points, see OfficeExtend Access Points.

• Support for the 1130AG and 1240AG series indoor mesh access points, which dynamically establish wireless connections in locations where it might be difficult to connect to the wired network.

All features included in a Wireless LAN Controller WPLUS license are now included in the base license; this change is introduced in release 6.0.196.0. There are no changes to WCS BASE and PLUS licensing. These WPLUS license features are included in the base license:

• OfficeExtend AP

• Enterprise Mesh

• CAPWAP Data Encryption

The licensing change can affect features on your wireless LAN when you upgrade or downgrade software releases, so you should be aware of these guidelines:

• If you have a WPLUS license and you upgrade from 6.0.x.x to 7.0.98.0, your license file contains both Basic and WPLUS license features. You will not see any disruption in feature availability and operation.



• If you have a WPLUS license and you downgrade from 7.0.98.0 to 6.0.196.0 or 6.0.188 or 6.0.182, your license file contains only base license, and you will lose all WPLUS features.

• If you have a base license and downgrade from 6.0.196.0 to 6.0.188 or 6.0.182, when you downgrade, you lose all WPLUS features.

To view the Cisco WLC trap log, choose Monitor and click View All under “Most Recent Traps” on the Cisco WLC GUI.

Note You can also view traps by using SNMP-based management tools.

The ap-count licenses and their corresponding image-based licenses are installed together. The Cisco WLC keeps track of the licensed access point count and does not allow more than the number of access points to associate to it.

The Cisco 5500 Series Controller is shipped with both permanent and evaluation base and base-ap-count licenses. If desired, you can activate the evaluation licenses, which are designed for temporary use and set to expire after 60 days.

No licensing steps are required after you receive your Cisco 5500 Series Controller because the licenses you ordered are installed at the factory. In addition, licenses and product authorization keys (PAKs) are preregistered to serial numbers. However, as your wireless network evolves, you might want to add support for additional access points or upgrade from the standard software set to the base software set. To do so, you need to obtain and install an upgrade license.

Obtaining an Upgrade License

A certificate with a product authorization key (PAK) is required before you can obtain an upgrade license.

You can use the capacity adder licenses to increase the number of access points supported by the Cisco WLC up to a maximum of 500 access points. The capacity adder licenses are available in access point capacities of 10, 25, 50, 100 and 250 access points. You can add these licenses to any of the base capacity licenses of 12, 25, 50, 100 and 250 access points.

For example, if your Cisco WLC was initially ordered with support for 100 access points (base license AIR-CT5508-100-K9), you could increase the capacity to 500 access points by purchasing a 250 access point, 100 access point, and a 50 access point additive capacity license (LIC-CT5508-250A, LIC-CT5508-100A, and LIC-CT5508-50A).

You can find more information on ordering capacity adder licenses at this URL: http://www.cisco.com/c/en/us/products/wireless/5500-series-wireless-controllers/datasheet-listing.html

If you skip any tiers when upgrading (for example, if you do not install the -25U and -50U licenses along with the -100U), the license registration fails.

For a single Cisco WLC, you can order different upgrade licenses in one transaction (for example, -25U, -50U, -100U, and -250U), for which you receive one PAK with one license. Then you have only one license (instead of four) to install on your Cisco WLC.

If you have multiple Cisco WLCs and want to upgrade all of them, you can order multiple quantities of each upgrade license in one transaction (for example, you can order 10 each of the -25U, -50U, -100U, and -250 upgrade licenses), for which you receive one PAK with one license. You can continue to register the PAK for multiple Cisco WLCs until it is exhausted.

Base license SKUs for the Cisco Flex 7500 Series Controllers are as follows:

• AIR-CT7510-300-K9

• AIR-CT7510-500-K9


http://www.cisco.com/c/en/us/products/wireless/5500-series-wireless-controllers/datasheet-listing.html


• AIR-CT7510-1K-K9

• AIR-CT7510-2K-K9

Base license SKUs for the Cisco 5500 Series Controllers are as follows:

• AIR-CT5508-12-K9

• AIR-CT5508-25-K9

• AIR-CT5508-50-K9

• AIR-CT5508-100-K9

• AIR-CT5508-250-K9

• AIR-CT5508-500-K9

The capacity adder SKUs are as follows:

• LIC-CT5508-10A

• LIC-CT5508-25A

• LIC-CT5508-50A

• LIC-CT5508-100A

• LIC-CT5508-250A

Base license SKUs for the Cisco 2500 Series Controllers are as follows:

• AIR-CT2504-5-K9

• AIR-CT2504-15-K9

• AIR-CT2504-25-K9

• AIR-CT2504-50-K9

Base license SKUs for the Cisco WiSM2 Controllers are as follows:

• WS-SVC-WISM2-1-K9—WiSM2 with 100 AP support

• WS-SVC-WISM2-3-K9—WiSM2 with 300 AP support

• WS-SVC-WISM2-5-K9—WiSM2

To obtain and register a PAK certificate, follow these steps:

Step 1 Order the PAK certificate for an upgrade license through your Cisco channel partner or your Cisco sales representative, or order it online at this URL:

http://www.cisco.com/web/ordering/root/index.html

Step 2 If you are ordering online, begin by choosing the primary upgrade SKU L-LIC-CT5508-UPG or LIC CT5508-UPG. Then, choose any number of the following options to upgrade one or more Cisco WLCs under one PAK.

This table describes the controller configuration parameters.


http://www.cisco.com/web/ordering/root/index.html


Table 7-23 License Agent Configuration Parameters

Type Part Number Description

email L-LIC-CT5508-UPG Primary upgrade SKU: Pick any number or combination of the following options under this SKU to upgrade one or many Cisco WLCs under one product authorization key

L-LIC-CT5508-25A 25 AP Adder License for the Cisco 5508 Controllers (eDelivery)




L-LIC-CT2504-UPG Primary upgrade SKU: Pick any number or combination of the following options under this SKU to upgrade one or many Cisco WLCs under one product authorization key

L-LIC-CT2504-5A 5 AP Adder License for Cisco 2504 Wireless Controller (e-Delivery)

L-LiC-CT2504-25A 25 AP Adder License for Cisco 2504 Wireless Controller (E-Delivery)



Note If you require a paper certificate for Customs, order it without the “L-” in the SKU (for example, LIC-CT5508-250A) and choose to ship it using the U.S. mail.

Step 3 After you receive the certificate, use one of two methods to register the PAK:

• Cisco License Manager (CLM)—This method automates the process of obtaining licenses and deploying them on Cisco devices. For deployments with more than five Cisco WLCs, we recommend using CLM to register PAKs and install licenses. You can also use CLM to rehost or RMA a license.

Note You can download the CLM software and access user documentation at http://www.cisco.com/c/en/us/products/cloud-systems-management/license-manager/index.html

• Licensing portal—This alternative method enables you to manually obtain and install licenses on your Cisco WLC. If you want to use the licensing portal to register the PAK, follow the instructions in Step 4.

paper LIC-CT5508-UPG Primary upgrade SKU: Pick any number or combination of the following options under this SKU, to upgrade one or many Cisco WLCs under one product authorization key

LIC-CT5508-25A 25 AP Adder License for the Cisco 5508 Controller




LIC-CT2504-UPG Primary upgrade SKU: Pick any number or combination of the following options under this sku to upgrade one or many Cisco WLCs under one product authorization key

LIC-CT2504-5A 5 AP Adder License for Cisco 2504 Controller (Paper Certificate -US Mail)

LIC-CT2504-25A 25 AP Adder License for Cisco 2504 Controller (Paper Certificate - US Mail)

Table 7-23 License Agent Configuration Parameters

Type Part Number Description


http://www.cisco.com/c/en/us/products/cloud-systems-management/license-manager/index.html


Step 4 Use the licensing portal to register the PAK as follows:

a. Go to http://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet

b. On the main Product License Registration page, enter the PAK mailed with the certificate in the Product Authorization Key (PAK) text box and click Submit.

c. On the Validate Features page, enter the number of licenses that you want to register in the Qty text box and click Update.

d. To determine the Cisco WLC’s product ID and serial number, choose Controller > Inventory on the Cisco WLC GUI or enter the show license udi command on the Cisco WLC CLI.

Note To determine the Cisco WLC’s product ID and serial number, see the Inventory page.

e. On the Designate Licensee page, enter the product ID and serial number of the Cisco WLC on which you plan to install the license, read and accept the conditions of the end-user license agreement (EULA), complete the rest of the text boxes on this page, and click Submit.

f. On the Finish and Submit page, verify that all information is correct and click Submit.

g. When a message appears indicating that the registration is complete, click Download License. The license is emailed within 1 hour to the address that you specified.

h. When the e-mail arrives, follow the instructions provided.

i. Copy the license file to your TFTP server.

j. Follow the instructions in the “Installing a License” section below to install the license on your Cisco WLC.

Installing a License

For installation instructions, see the Install License section on the License Commands page.

LicensesChoose MANAGEMENT > Software Activation > Licenses to navigate to the Licenses page.

This page enables you to view all of the following types of information about the licenses installed on the Cisco WLC:

• License—Name of the license.

• Type—Permanent, evaluation, or extension.

• Time (expires)—How long until the license expires.

• HBL Count—Maximum number of access points allowed for the adder license. This field appears only for Cisco Flex 7500 Series and 8500 Series Controllers.

• Non HBL Count—Maximum number of access points allowed for the CDK license. This field appears only for Cisco Flex 7500 Series and 8500 Series Controllers.

• Count—Maximum number of access points allowed for this license. This field does not appear for Cisco Flex 7500 Series and 8500 Series Controllers.

• Priority—Low, medium, or high.

• Status—In use, not in use, inactive, or End User License Agreement (EULA) not accepted.


http://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet


If you ever want to remove a license from the Cisco WLC, click the blue arrow adjacent the desired license and choose Remove. For example, you might want to delete an expired evaluation license or any unused license. You cannot delete unexpired evaluation licenses, the permanent base image license, or licenses that are in use by the Cisco WLC.

For Cisco Flex 7500 Series and 8500 Series Controllers, honor-based licensing also called Right to Use licensing was introduced in Cisco WLC Release 7.3. This feature allows you to add and activate an AP-count license on the Cisco WLC without using any external tools after accepting an End User License Agreement (EULA).

To add an AP-count license for Cisco Flex 7500 Series and 8500 Series Controllers follow these steps:

Step 1 Enter the count in the License Count text box.

Step 2 Choose Add from the License Count drop-down list.

Step 3 Click Set Count.

Step 4 When the end-user license agreement (EULA) appears, read the terms of the agreement and then click Accept.

The ap-count permanent license is active now.

To delete an AP-count license or reduce the count for Cisco Flex 7500 Series and 8500 Series Controllers follow these steps:

Step 1 Enter the count in the License Count text box.

Step 2 Choose Delete from the License Count drop-down list.

Step 3 Click Set Count.


If the count is equal to the HBL count of the license, the license is removed from the list. If the count is less than the HBL count, the license appears with the decremented count.

To view more details for a particular license, click the link for the desired license. The License Detail page appears.

License DetailChoose MANAGEMENT > Software Activation > License and then click a license name to navigate to the License Detail page.

This page shows the following additional information for the license:

• License name

• License type

The license type can be permanent, evaluation, or extension.

• License version

• Comment



You can enter a comment for this license in the Comment text box and click Apply.

• Status

Status of the license. It can be one of the following:

– In use

– Not in use

– Inactive

– End user license agreement not accepted

• Current Status

This field appears only for Cisco Flex 7500 Series and 8500 Series Controllers. It indicates the current status of the license. It can be one of the following:

– In use

– Not in use

– Inactive

– End user license agreement not accepted

• Expires

Length of time before the license expires

Note Permanent licenses never expire.

• License Status

This field appears only for Cisco Flex 7500 Series and 8500 Series Controllers.You can activate or deactivate the license by choosing Activate or Deactivate from the drop-down list.

• Built-in License

Whether the license is a built-in license.

• Maximum Count

Maximum number of access points allowed for this license. This field does not appear for Cisco Flex 7500 Series and 8500 Series Controllers.

• Counts Used

Number of access points currently using this license. This field does not appear for Cisco Flex 7500 Series and 8500 Series Controllers.

• Priority

To activate an ap-count evaluation license, you must change its priority to high. If you no longer want to have this higher capacity, you can lower the priority of the ap-count evaluation license, which forces the controller to use the permanent license. This field does not appear for Cisco Flex 7500 Series and 8500 Series Controllers.

Note You can set the priority only for ap-count evaluation licenses. AP-count permanent licenses always have a medium priority, which cannot be configured.



Activating an AP-Count Evaluation License

If you are considering upgrading to a license with a higher access point count, you can try an evaluation license before upgrading to a permanent version of the license. For example, if you are using a permanent license with a 50 access point count and want to try an evaluation license with a 100 access point count, you can try out the evaluation license for 60 days.

AP-count evaluation licenses are set to low priority by default so that the Cisco WLC uses the ap-count permanent license. If you want to try an evaluation license with an increased access point count, you must change its priority to high. If you no longer want to have this higher capacity, you can lower the priority of the ap-count evaluation license, forcing the Cisco WLC to use the permanent license.

Note If the ap-count evaluation license is a wplus license and the ap-count permanent license is a base license, you must also change the feature set to wplus. See the License Level page for instructions.

Note To prevent disruptions in operation, the Cisco WLC does not switch licenses when an evaluation license expires. You must reboot the Cisco WLC in order to return to a permanent license. Following a reboot, the Cisco WLC defaults to the same feature set level as the expired evaluation license. If no permanent license at the same feature set level is installed, the Cisco WLC uses a permanent license at another level or an unexpired evaluation license.

To activate an ap-count evaluation license, follow these steps:

Step 1 Choose High from the Priority drop-down list and click Set Priority.

Step 2 Click OK when prompted to confirm your decision about changing the priority of the license.


Step 4 When prompted to reboot the Cisco WLC, click OK.

Step 5 Reboot the Cisco WLC in order for the priority change to take effect.

Step 6 Click Licenses to open the Licenses page and verify that the ap-count evaluation license now has a high priority and is in use. You can use the evaluation license until it expires.

If you decide to stop using the ap-count evaluation license and want to revert to using an ap-count permanent license, follow these steps:

Step 1 Choose Low from the Priority drop-down list and click Set Priority.

Step 2 Click OK when prompted to confirm your decision about changing the priority of the license.


Step 4 When prompted to reboot the Cisco WLC, click OK.

Step 5 Reboot the Cisco WLC in order for the priority change to take effect.

Step 6 Click Licenses to open the Licenses page and verify that the ap-count evaluation license now has a low priority and is not in use. Instead, the ap-count permanent license should be in use.



License LevelChoose MANAGEMENT > Software Activation > License Usage to navigate to the License Level page.

This page enables you to configure the Cisco WLC to specify which feature set it uses (base or wplus). Only the base or wplus license can be active at a time. The currently active license determines the feature set and number of access points supported on the Cisco WLC.

This page shows the current license level (base or wplus) and the level to be used after the next Cisco WLC reboot. It also shows the maximum number of access points allowed by the license on the Cisco WLC, the number of access points currently joined to the Cisco WLC, and the number of access points that can still join the Cisco WLC.

Note To learn more about the available license levels, click the base or wplus license level link to open the Licenses page. This page shows the licenses applicable to this level and the list of features supported. Click Back to return to the License Level page.

To change the license level, follow these steps:

Step 1 Choose the license level to be used on the next reboot: base, wplus, or auto. If you choose auto, the licensing software automatically chooses the license level to use on the next reboot. It chooses permanent licenses over evaluation licenses and wplus licenses over base licenses.

Note If you are considering upgrading from a base license to a wplus license, you can try an evaluation wplus license before upgrading to a permanent wplus license. To activate the evaluation license, you need to set the image level to wplus in order for the Cisco WLC to use the wplus evaluation license instead of the base permanent license. If no valid licenses are installed, the Cisco WLC can always operate in base level.

Note To prevent disruptions in operation, the Cisco WLC does not switch licenses when an evaluation license expires. You must reboot the Cisco WLC in order to return to a permanent license. Following a reboot, the Cisco WLC defaults to the same feature set level as the expired evaluation license. If no permanent license at the same feature set level is installed, the Cisco WLC uses a permanent license at another level or an unexpired evaluation license.

Step 2 Click Activate.

Step 3 Click OK when prompted to confirm your decision to change the license level on the next reboot.

Step 4 If the end-user license agreement (EULA) appears, read the terms of the agreement and then click Accept. The Next Boot Level text box now shows the license level that you specified as the level to be used after the next Cisco WLC reboot.

Step 5 Reboot the Cisco WLC for the specified license level to take effect.



License CommandsChoose MANAGEMENT > Software Activation > Commands to navigate to the License Commands page.

From this page, you can install, save, or rehost licenses, and save device credentials.

Install License

Note For information about obtaining an upgrade license, see the Obtaining an Upgrade License topic.

Step 1 From the Action drop-down list, choose Install License. The Install license from a file section appears.

Step 2 In the File Name to Install text box, enter the path to the license (*.lic) on the TFTP server.

Step 3 Click Install License. A message appears to show whether the license was installed successfully. If the installation fails, the message provides the reason for the failure, such as the license is an existing license, the path was not found, the license does not belong to this device, you do not have correct permissions for the license, and so on.

Step 4 If the end-user license agreement (EULA) acceptance window appears, read the agreement and click Accept to accept the terms of the agreement.

Note Typically you are prompted to accept the end-user license agreement (EULA) for evaluation, extension, and rehost licenses. The EULA is also required for permanent licenses, but it is accepted during license generation.

Step 5 Reboot the Cisco WLC.

Save License

Step 1 From the Action drop-down list, choose Save License. This saves all the licenses to a file, except the evaluation license section that appears.

Step 2 In the File Name to Save text box, enter the path on the TFTP server where you want the licenses to be saved.

Note You cannot save evaluation licenses.

Step 3 Click Save Licenses.

Step 4 Reboot the Cisco WLC.



Save Credentials

To save device credential information to a file, enter the path on the TFTP server where you want the device credentials to be saved and click Save Credentials. You need to save the device credentials to rehost a license.

Rehost

Revoking a license from one Cisco WLC and installing it on another is called rehosting. You might want to rehost a license to change the purpose of a Cisco WLC. For example, if you want to move your OfficeExtend or indoor mesh access points to a different Cisco WLC, you could transfer the wplus license from one Cisco WLC to another.

In order to rehost a license, you must generate credential information from the Cisco WLC and use it to obtain a permission ticket to revoke the license from the Cisco licensing site. Next, you must obtain a rehost ticket and use it to obtain a license installation file for the Cisco WLC on which you want to install the license.

Evaluation licenses and the permanent base image license cannot be rehosted.

Note A revoked license cannot be reinstalled on the same Cisco WLC.

To rehost a license, follow these steps:

Step 1 In the File Name to Save Credentials text box, enter the path on the TFTP server where you want the device credentials to be saved and click Save Credentials.

Step 2 Obtain a permission ticket to revoke the license as follows:

a. Click Cisco Licensing (https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet). The Product License Registration page appears.

b. Under Manage Licenses, click Look Up a License.

c. Enter the product ID and serial number for your Cisco WLC.

Note To determine the Cisco WLC’s product ID and serial number, see the Inventory page.

d. Open the device credential information file that you saved in Step 1 and copy and paste the contents of the file into the Device Credentials text box.

e. Enter the security code in the blank box and click Continue.

f. Choose the licenses that you want to revoke from this Cisco WLC and click Start License Transfer.

g. On the Rehost Quantities page, enter the number of licenses that you want to revoke in the To Rehost box and click Continue.

h. On the Designate Licensee page, enter the product ID and serial number of the Cisco WLC for which you plan to revoke the license, read and accept the conditions of the end-user license agreement (EULA), complete the rest of the text boxes on this page, and click Continue.

i. On the Review and Submit page, verify that all information is correct and click Submit.

j. When a message appears indicating that the registration is complete, click Download Permission Ticket. The rehost permission ticket is e-mailed within 1 hour to the address that you specified.


https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet

Chapter 7 Management Tab System Resource Information

k. After the e-mail arrives, copy the rehost permission ticket to your TFTP server.

Step 3 Use the rehost permission ticket to revoke the license from this Cisco WLC and generate a rehost ticket as follows:

a. In the Cisco WLC GUI Enter Saved Permission Ticket File Name text box, enter the TFTP path and filename (*.lic) for the rehost permission ticket that you generated in Step 2.

b. In the Rehost Ticket File Name text box, enter the TFTP path and filename (*.lic) for the ticket that will be used to rehost this license on another Cisco WLC.

c. Click Generate Rehost Ticket.

d. When the EULA acceptance page appears, read the agreement and click Accept to accept the terms of the agreement.

Step 4 Use the rehost ticket that you generated in Step 3 to obtain a license installation file, which can then be installed on another Cisco WLC as follows:

a. Click Cisco Licensing (http://www.cisco.com/go/license)

b. On the Product License Registration page, click Upload Rehost Ticket under Manage Licenses.

c. On the Upload Ticket page, enter the rehost ticket that you generated in Step 3 in the Enter Rehost Ticket text box and click Continue.

d. On the Validate Features page, verify that the license information for your Cisco WLC is correct, enter the rehost quantity, and click Continue.

e. On the Designate Licensee page, enter the product ID and serial number of the Cisco WLC on which you plan to use the license, read and accept the conditions of the EULA, complete the rest of the text boxes on this page, and click Continue.

f. On the Review and Submit page, verify that all information is correct and click Submit.

g. When a message appears indicating that the registration is complete, click Download License. The rehost license key is e-mailed within 1 hour to the address you specified.

h. After the e-mail arrives, copy the rehost license key to your TFTP server.

i. Follow the instructions from the Install License page to install this license on another Cisco WLC.

System Resource InformationChoose MANAGEMENT > Tech Support > System Resource Information to navigate to the System Resource Information page.

This page enables you to view the settings for the current Cisco WLC CPU usage, system buffers, and web server buffers.

For Cisco 5500 Series Controllers, the System Resource Information page also shows the Individual CPU usage, which is the percentage of the CPU in use and the percentage of the CPU time spent at the interrupt level.

Controller Crash InformationChoose MANAGEMENT > Tech Support > Controller Crash to navigate to the Controller Crash Information page.


http://www.cisco.com/go/license

Chapter 7 Management Tab Core Dump

This page displays the most recent Cisco WLC CPU crash files from most to least recent.

Core DumpChoose MANAGEMENT > Tech Support > Core Dump to navigate to the Core Dump page.

You can configure the following settings so that the Cisco WLC can automatically upload a core dump file of the Cisco WLC:

• Core Dump Transfer—Setting to enable or disable the Cisco WLC to generate a core dump file following a crash.

• Transfer Mode—Transfer mode type. Choose FTP. The default is FTP.

• IP Address—IP address of the FTP server to which the core dump file is uploaded.

• File Name—Name that the Cisco WLC uses to label the core dump file.

• User Name—Username to log on to FTP.

• Password—Password to log on to FTP.


AP Crash LogsChoose MANAGEMENT > Tech Support > AP Crash Log to navigate to the AP Crash Logs page.

This page enables you to view the following settings for the most recent access point log:

• AP Name—Access point name

• AP ID—Access point ID

• MAC Address—MAC address of the access point

• Admin Status—Admin status of the access point

• Operational Status—Operational status of the access point

• Port—Port number

• FileName—Name of the crash log file

• FileSize—Size of the crash log file

• TimeStamp—Crash Timestamp


Chapter 7 Management Tab AP Crash Logs


C H A P T E R 8
Commands Tab
This tab on the menu bar enables you to access the controller operating system software management commands. Use the left navigation pane to access the operating system software management parameters.

You can access the following pages from the Commands tab:

• Download File to Controller

• Upload File from Controller

• System Reboot

• Config Boot

• Scheduled Reboot

• Reset to Factory Default

• Set Time

• Login Banner

• Redundancy

You can find controller configuration information in the following sections:

• Using the Configuration Wizard

• Collect the Initial Configuration Settings

• Connecting Your Web Browser to a Controller

• Configuration Wizard System Information

• Service Interface Configuration

• Management Interface Configuration

• Miscellaneous Configuration

• Virtual Interface Configuration

• WLAN Policy Configuration

• RADIUS Server Configuration

• 802.11 Configuration

• Completing the Configuration Wizard


Chapter 8 Commands Tab Download File to Controller

Download File to ControllerChoose COMMANDS > Download File to navigate to this page.

This page enables you to download and install new controller operating system software (code), a signature file, or a configuration file to your controller from a local TFTP (trivial file transfer protocol), FTP server, SFTP server, or over HTTP.

Note Follow these guidelines when setting up a TFTP server:

• If you are downloading through the service port, the TFTP server must be on the same subnet as the service port because the service port is not routable.

• If you are downloading through the distribution system network port, the TFTP server can be on the same or a different subnet because the distribution system port is routable.

• A third-party TFTP server cannot run on the same computer as Cisco Prime Infrastructure, because the Cisco Prime Infrastructure built-in TFTP server and the third-party TFTP server require the same communication port.

To download a file to the controller, follow these steps:

Step 1 From the File Type drop-down list, choose the kind of file that you want to download from the following options:

• Code—You can download an executable image.

• Configuration—If you choose Configuration, also enter the configuration file encryption key that enables the data in the file to be encrypted when the file is downloaded.

• Signature File—A standard signature file exists on the controller by default. You can upload this signature file from the controller, or you can create a custom signature file and download it to the controller or modify the standard signature file to create a custom signature.

If you are downloading a custom signature file (*.sig), copy it to the default directory on your TFTP server.

• Webauth Bundle—You can download a custom webauth bundle.

• Vendor Device Certificate—When you choose Vendor Device Certificate, also enter the certificate password that is used to protect the certificate.

• Vendor CA Certificate—You can download a vendor CA certificate.

• Login Banner—The login banner is the text that appears in the window before user authentication when you access the controller CLI using Telnet, SSH, or a console port connection. You save the login banner information as a text file (*.txt). The text file cannot be larger than 1296 characters and cannot have more than 16 lines of text.

Note The ACSII character set consists of printable and nonprintable characters. The login banner supports only printable characters.

Note Clearing the controller configuration does not remove the login banner. See the Login Banner topic for information about clearing the login banner file.


Chapter 8 Commands Tab Download File to Controller

Note The controller can have only one login banner file. If you download another login banner file to the controller, the first login banner file is overwritten.

Step 2 From the Transfer Mode drop-down list, choose from the following options:

– TFTP

– FTP

– SFTP

– HTTP

Step 3 If you selected TFTP from the Transfer Mode drop-down list, do the following:

a. In the IP Address (IPv4/IPv6) text box, enter the IPv4/IPv6 address of the TFTP server.

b. In the Maximum Retries text box, enter the maximum number of times the controller should attempt to download the signature file. The valid range is from 1 to 254; the default value is 10.

c. In the Timeout text box, enter the amount of time in seconds before the controller times out while attempting to download the signature file. The valid range is from 1 to 254; the default value is 6.

d. In the File Path text box, enter the file path on the server (default = /).

e. In the File Name text box, enter the name of the file to be transferred.

Note You cannot use special characters such as \ : * ? " < > | for the file path or a filename.

Step 4 If you selected FTP or SFTP from the Transfer Mode drop-down list, do the following:

a. In the IP Address (IPv4/IPv6) text box, enter the IPv4/IPv6 address of the FTP or SFTP server.

b. In the File Path text box, enter the file path on the server (default = /).

c. In the File Name text box, enter the name of the file to be transferred.

d. In the Server Login Username text box, enter the username to log in to the FTP or SFTP server.

e. In the Server Login Password text box, enter the password to log in to the FTP or SFTP server.

f. In the Server Port Number text box, enter the port number on the FTP or SFTP server through which the download occurs. The default value for the FTP server port is 21. The default value for the SFTP server port is 22.

Note The SFTP server must support SSHv2, else the file transfer will fail.

Step 5 If you selected HTTP from the Transfer Mode drop-down list, do the following:

a. Click Choose File and browse to the .aes file on the local computer to send to WLC.

Step 6 Click the Download button.

The controller downloads and installs the new controller operating system software. This process takes at least three minutes and overwrites your existing code and configuration.

Note You must reboot the controller after the new operating system software is installed.


Chapter 8 Commands Tab Upload File from Controller

Buttons

• Clear: Deletes the entries in the data fields.

• Download: Begins the download from the SFTP , FTP or TFTP server; you are prompted to continue.

Upload File from ControllerChoose COMMANDS > Upload File to navigate to this page.

This page enables you to upload files from your controller to a local SFTP , FTP or, TFTP server.

Note The SFTP server must support SSHv2, else the file transfer will fail.

You can upload the following files:

• Configuration file—See the Editing Configuration Files topic for information about editing configuration files. The following options are available:

– Configuration

– Event Log

– Message Log

– Trap Log

– Crash File

– Debug-File

– Signature File

– PAC (Protected Access Credential)—In the User text box, enter the name of the user who will use the PAC. In the Validity text box, enter the number days for the PAC to remain valid. The default setting is zero (0). In the Password and Confirm Password text boxes, enter a password to protect the PAC.

– Radio Core Dump

– Invalid Config—See the Configuration Files with Invalid CLI Commands topic for information about uploading the invalid configuration for analysis.

– Packet Capture—When a Cisco 5500 Series Controller’s data plane crashes, it stores the last 50 packets that the controller received in flash memory. This information can be useful in troubleshooting the crash. When a crash occurs, the controller generates a new packet capture file (*.pcap) file. You can upload the packet capture file from the controller. You can then use Wireshark or another standard packet capture tool to view and analyze the contents of the file.

Note Only Cisco 5500 Series Controllers generate packet capture files. This feature is not available on other controller platforms.

– Watchdog Crash File

– Panic Crash File


Chapter 8 Commands Tab Upload File from Controller

• Configuration File Encryption—Enable the Configuration File Encryption option and enter the encryption key. File encryption ensures that data is encrypted while uploading or downloading the controller configuration file through a TFTP, SFTP, or FTP server.

• Transfer Mode—Choose the transfer mode from the drop-down list. Available options include FTP, SFTP, and TFTP.

If you chose TFTP from the Transfer Mode drop-down list, enter the IPv4/IPv6 address of the TFTP server, the file path on the server (default = /), and a name for the file you have selected for upload.

Note The TFTP server cannot run on the same computer as the Cisco Wireless Control System because the Cisco WCS or Cisco Prime Infrastructure and the TFTP server use the same communication port.

If you chose FTP or SFTP from the Transfer Mode drop-down list, enter the IPv4/IPv6 address of the FTP or SFTP server, the file path on the server (default = /), a name for the file you have selected for upload, the username to log in to the SFTP or FTP server, the password to log in to the SFTP or FTP server, and the port number on the SFTP or FTP server through which the download occurs (the default value for the FTP server port is 21, and the default value for the SFTP server port is 22).

When you click Upload, the selected file is uploaded to your TFTP, SFTP, or FTP server and is saved with the same name that you entered in the File Name field.

Editing Configuration Files

When you save the controller’s configuration, the controller stores it in XML format in flash memory. When you upload the configuration file to a TFTP, SFTP, or FTP server, the controller converts the file from XML to CLI. You can then read, modify, delete, or add CLI commands to the configuration file in CLI format on the server.

Note To edit the configuration file, you can use either Notepad on Windows or the VI editor on Linux.

When you are finished, save your changes to the configuration file on the server and download the file back to the controller, where it is reconverted to XML format and saved.

Configuration Files with Invalid CLI Commands

CLI commands with known keywords and proper syntax are converted to XML while improper CLI commands are ignored and saved to flash memory. Any CLI commands that have invalid values are replaced with default values. To see any ignored commands or invalid configuration values, enter the show invalid-config command on the controller CLI.

Note You can enter this command only before the clear config or save config command.

If the downloaded configuration contains a large number of invalid CLI commands, you might want to upload the invalid configuration to the TFTP, SFTP, or FTP server for analysis.

Buttons

• Clear: Deletes the entries in the data fields are deleted.

• Upload: Begins the file upload to the TFTP, SFTP, or FTP server; you are prompted to continue.


Chapter 8 Commands Tab System Reboot

System RebootChoose COMMANDS > Reboot to navigate to this page.

This page enables you to restart the controller. You are prompted to save your configuration changes in the next page if you have not already saved configuration changes using the Save Configuration Administrative toolbar at the top right of your window.

Buttons

• Reboot: Restarts the controller. You are prompted for confirmation. See the System Reboot > Save? topic.

System Reboot > Save?Choose COMMANDS > Reboot and then click Reboot to navigate to this page.

This page prompts you to restart the controller after saving your configuration changes or restart without saving.

Buttons

• Reboot: Restarts the controller after saving your existing applied changes. See the System Reboot > Confirm topic.

System Reboot > ConfirmChoose COMMANDS > Reboot and then click Reboot to navigate to this page.

This page enables you to confirm the restart of your controller after saving your configuration changes. All system connections are lost so you must open a new session and log back in to the controller.

Buttons

• Reboot: Restarts the controller.

Config BootChoose Commands > Config Boot to navigate to this page.

This page enables you to configure the primary and backup boot image for the controller.

General

The primary image uses the primary image version on the controller. The primary image is the active image. The backup image uses the backup image version on the controller.


Chapter 8 Commands Tab Scheduled Reboot

Config Boot Image

Boot enables you to select the image that you want the controller to use while rebooting. You can choose one of the two options provided from the drop-down list: Primary or Backup. Depending on the option that you choose from the drop-down list, the controller takes that image as the active image while rebooting.

Buttons

• Apply: Saves the config boot input to the controller.

Scheduled RebootThis topic describes how to schedule a reboot of the controller.

Reboot AtChoose COMMANDS > Scheduled Reboot >Reboot At and then click the Reboot button to navigate to this page.

This page enables you to schedule a reboot of the controller at a specific time. All system connections are lost so you must open a new session and log back into the controller.

You can schedule the following settings for a reboot:

• Current Time—Current time on the controller.

• Date—Date on which you want to schedule the reboot. You can choose the month by using the drop-down lists for the month and the year in the Year text box.

• Time—Time at which you want to schedule the reboot. You can choose the hour from the Hour drop-down list and enter the minutes and seconds in the text boxes provided.

• Image—Type of image that the controller must use when rebooting. The following options are available:

– Normal—The controller reboots with the current available software image.

– Interchange—The controller interchanges the software image with the backup image when rebooting.

Buttons

• Save and Reboot: Saves the controller configuration and reboot.

• Reboot without Save: Reboots the controller without saving the configuration.

Reboot InChoose COMMANDS > Scheduled Reboot >Reboot In and click Reboot to navigate to this page.

This page enables you to schedule a reboot of the controller in a specific time duration from the current time. All system connections are lost so you must open a new session and log back into the controller.


Chapter 8 Commands Tab Reset to Factory Default

• Time—Time at which you want to schedule the reboot by setting the hour from the Hour drop-down list and then you can enter the minutes and seconds in the text boxes provided.

• Image—Type of image that the controller must use when rebooting. The following options are available:

– Normal—The controller reboots with the current available software image.

– Interchange—The controller interchanges the software image with the backup image when rebooting.

Buttons

• Save and Reboot: Saves the controller configuration and reboot.

• Reboot without Save: Reboots the controller without saving the configuration.

Clear RebootChoose COMMANDS > Scheduled Reboot > Clear Reboot to navigate to this page.

This page enables you to cancel the scheduled reboot. The following information appears:

• Scheduled Reset Information—Scheduled reset information.

– Current Time—Current time on the controller.

– System Reset Time—System reset time.

• Reset System Notify-time—Reset system notification time.

– Current reset system notify-time—Scheduled notification time (in minutes) before the traps are sent.

– Notify Time—Notification time (in minutes) before the traps should be sent.

Buttons

• Clear: Clears the scheduled reset information.

• Apply: Applies the current settings.

Reset to Factory DefaultChoose COMMANDS > Reset to Factory Default to navigate to this page.

This page enables you to reset the controller configuration to the factory default. Resetting the configuration overwrites all applied and saved configuration parameters. You are prompted for confirmation to reset the configuration.

All configuration data files are deleted, and upon reboot, the controller is restored to its original unconfigured state. Resetting the configuration removes all IP configuration and you need a serial connection to restore the base configuration.

Note After confirming the configuration removal, you must reboot the controller and choose Reboot Without Saving.


Chapter 8 Commands Tab Set Time

Buttons

• Reset: Returns the configuration to the factory default.

Set TimeChoose COMMANDS > Set Time to navigate to this page. This page enables you to configure the following settings for the time and date on the controller:

• Current Time—Current timestamp on the controller.

• Date—The date on the controller

– Month

– Day

– Year

• Time

– Hour

– Minutes

– Seconds

• Timezone

– Delta—You cannot use this option on the controller GUI. However, if you do so on the controller CLI, the change is reflected in the Delta Hours and Mins fields on the controller GUI.

– Location—When you choose a time zone that uses Daylight Saving Time (DST), the controller automatically sets its system clock to reflect the time change when DST occurs. In the United States, DST starts on the second Sunday in March and ends on the first Sunday in November.

Login BannerChoose COMMANDS > Login Banner to navigate to this page.

To clear the login banner from the controller, click Clear. At the prompt, click OK to clear the banner.

RedundancyChoose COMMANDS > Redundancy to configure the redundancy parameters and peer network routes:

• To upload files from the peer controller to a local TFTP server, choose COMMANDS > Redundancy > Upload Peer.

• To reset the peer controller, choose COMMANDS > Redundancy > Reset Peer.

Redundancy > Upload PeerChoose COMMANDS > Redundancy > Upload Peer to navigate to this page.


Chapter 8 Commands Tab Redundancy

This page enables you to upload files from the peer controller to a local TFTP server.

You can upload the following files:

• Configuration file—See the Editing Configuration Files topic for information about editing configuration files. The following options are available:

– Configuration

– Event Log

– Message Log

– Trap Log

– Crash File

– Debug-File

– Signature File

– PAC (Protected Access Credential)—In the User text box, enter the name of the user who will use the PAC. In the Validity text box, enter the number days for the PAC to remain valid. The default setting is zero (0). In the Password and Confirm Password text boxes, enter a password to protect the PAC.

– Radio Core Dump

– Invalid Config—See the Configuration Files with Invalid CLI Commands topic for information about uploading the invalid configuration for analysis.

– Packet Capture—When a Cisco 5500 Series Controller’s data plane crashes, it stores the last 50 packets that the controller received in flash memory. This information can be useful in troubleshooting the crash. When a crash occurs, the controller generates a new packet capture file (*.pcap) file. You can upload the packet capture file from the controller. You can then use Wireshark or another standard packet capture tool to view and analyze the contents of the file.

Note Only Cisco 5500 Series Controllers generate packet capture files. This feature is not available on other controller platforms.

– Watchdog Crash File

– Panic Crash File

• Configuration File Encryption—Enable the Configuration File Encryption option and enter the encryption key. File encryption ensures that data is encrypted while uploading or downloading the controller configuration file through a TFTP, SFTP, or FTP server.

• Transfer Mode—Choose the transfer mode from the drop-down list. Available options include FTP, SFTP, and TFTP. If you chose TFTP from the Transfer Mode drop-down list, enter the IP address of the TFTP server, the file path on the server (default = /), and a name for the file you have selected for upload.

Note The TFTP server cannot run on the same computer as the Cisco Wireless Control System because the Cisco WCS or Cisco Prime Infrastructure and the TFTP server use the same communication port.


Chapter 8 Commands Tab Redundancy

If you chose FTP or SFTP from the Transfer Mode drop-down list, enter the IP address of the FTP or SFTP server, the file path on the server (default = /), a name for the file you have selected for upload, the username to log in to the FTP or SFTP server, the password to log in to the FTP or SFTP server, and the port number on the FTP or SFTP server through which the download occurs (the default value for the server port is 21 and the default value for the SFTP server port is 22).

When you click Upload, the selected file is uploaded to your TFTP, SFTP, or FTP server and is saved with the same name that you entered in the File Name field.

Editing Configuration Files

When you save the controller’s configuration, the controller stores it in XML format in flash memory. When you upload the configuration file to a TFTP, SFTP, or FTP server, the controller converts the file from XML to CLI. You can then read, modify, delete, or add CLI commands to the configuration file in CLI format on the server.

Note To edit the configuration file, you can use either Notepad on Windows or the VI editor on Linux.

When you are finished, save your changes to the configuration file on the server and download the file back to the controller, where it is reconverted to XML format and saved.

Configuration Files with Invalid CLI Commands

CLI commands with known keywords and proper syntax are converted to XML while improper CLI commands are ignored and saved to flash memory. Any CLI commands that have invalid values are replaced with default values. To see any ignored commands or invalid configuration values, enter the show invalid-config command on the controller CLI.

Note You can enter this command only before the clear config or save config command.

If the downloaded configuration contains a large number of invalid CLI commands, you might want to upload the invalid configuration to the TFTP, SFTP, or FTP server for analysis.

Buttons

• Clear: Deletes the entries in the data fields are deleted.

• Upload: Begins the file upload to the TFTP, SFTP, or FTP server; you are prompted to continue.

Redundancy > Reset PeerChoose COMMANDS > Redundancy > Reset Peer to navigate to this page.

This page enables you to reset the peer controller.

Buttons

• Reboot: Resets the peer controller.


Chapter 8 Commands Tab Using the Configuration Wizard

Using the Configuration WizardWhen the controller is activated for the first time from the factory, or when it has been rebooted after a Reset to Factory Default, the Web User Interface displays the Web Configuration Wizard. Use the web Configuration Wizard to configure the controller for initial operation.

Complete the following wizard screens to enter the initial controller configuration:

• Collect the Initial Configuration Settings

• Connecting Your Web Browser to a Controller

• Configuration Wizard System Information

• Service Interface Configuration

• Management Interface Configuration

• Miscellaneous Configuration

• Virtual Interface Configuration

• WLAN Policy Configuration

• RADIUS Server Configuration

• 802.11 Configuration

• Redundancy Configuration

• Completing the Configuration Wizard

Collect the Initial Configuration SettingsCollect the following high-level controller parameters.

System Parameters

The system parameters are as follows:

• Controller name

• Supported protocols: 802.11a/n and/or 802.11b/g/n

• New usernames and passwords (optional)

Network (Distribution System) Parameters

The network parameters are as follows:

• Distribution System (network) port static IP address, netmask, and optional default gateway IP address from the network planner.

• Service port static IP address and netmask from the network planner (optional).

• Distribution System physical port (1000Base-T, 1000BASE-SX, or 10/100BASE-T). The 1000Base-SX (UNUSED PRODUCT) provides a 100/1000 Mbps wired connection to a network through an 850nM (SX) fiber-optic link using an LC physical connector.

• Distribution System port VLAN assignment (optional).

• Distribution System port Web and Secure Web mode settings, enabled or disabled.



• Distribution System port Spanning Tree Protocol: enabled/disabled, 802.1D/fast/off mode per port, path cost per port, priority per port, bridge priority, forward delay, hello time, maximum age.

WLAN Parameters

The WLAN parameters are as follows:

• VLAN assignments

• Layer 2 Security settings

• Layer 3 Security settings

• QoS assignments

Mobility Parameters

Specify the Mobility Settings for the controller by providing a mobility group name. This step is optional.

RADIUS Parameters

Specify the RADIUS parameters.

SNMP Parameters

Specify the SNMP parameters.

Other Parameters

Other Port and Parameter Settings: Service port, Radio Resource Management (RRM), third-party APs, Serial/CLI Console port, 802.3x Flow Control, and System Logging.

Other Actions

Collect all files that may need uploading or downloading to the controller, including the latest operating system code.

Connecting Your Web Browser to a ControllerTo connect your web browser to the controller, follow these steps:

Note For the Initial GUI Configuration Wizard only, you cannot access the controller using IPv6 address.

Step 1 Temporarily configure your web browser device with a 192.168.1.2 IP address. Connect your web browser to the controller front panel service port, either using a crossover Ethernet cable or through an Ethernet hub or controller.

Note In case of Cisco WLC 2500, connect your PC to the port 2 on the controller and configure to use the same subnet.



Step 2 Type 192.168.1.1 into the address line of your web browser to log into the web user interface as described in the Commands Tab topic. The web server built into the controller responds with the login prompt.

Step 3 Enter admin and admin as the login and password, respectively. The controller displays the Configuration Wizard System Information page, in which you will configure the controller name and administrative user login.

Configuration Wizard System InformationTo configure the wizard, follow these steps:

Step 1 On the Configuration Wizard System Information page, enter the controller name.

Step 2 Also in the Configuration Wizard page, enter a new administrative username and password. The default is admin and admin, respectively.)

Step 3 Click Next to have the controller save your inputs and display the Service Interface Configuration page, in which you will configure the Service Port Interface.

Service Interface ConfigurationTo configure the service interface, follow these steps:

Step 1 Click the DHCP Protocol Enable box when the Service Port Interface is to obtain an IP address from a DHCP server. When the Service Port Interface is to use a fixed IP address, leave this box unselected.

Step 2 The IP Address box contains the current Service Port Interface IP address. If desired, enter a different Service Port Interface IP address.

Step 3 The Netmask box contains the current Service Port IP netmask. If desired, enter a different Service Port Interface IP netmask.

Step 4 Click Next to have the controller save your inputs and display the Management Interface Configuration page, in which you will configure the Management Interface.

Management Interface ConfigurationTo configure the management interface, follow these steps:

Caution Do not configure wired clients in the same VLAN or subnet of the service port on the network. If you configure wired clients on the same subnet or VLAN as the service port, you will not be able to access the management interface.

Step 1 Enter a Management Interface VLAN assignment.



The VLAN Identifier box contains the current VLAN assignment (0 if untagged). If desired, enter a different Management Interface VLAN assignment (or 0 if untagged).

Step 2 Enter the Management Interface IP address.

The IP Address text box contains the current Management Interface IP address. If desired, enter a different Management Interface IP address.

Step 3 Enter a Management Interface netmask.

The Netmask text box contains the current Management Interface netmask. If desired, enter a different management interface netmask.

Step 4 Enter the Management Interface Gateway in the Gateway text box.

The Gateway text box contains the default Management Interface gateway. If desired, enter a different Management Interface gateway.

Step 5 Enter the Management Interface Physical Port in the Port Number text box text box.

The Port Number text box contains the current Management Interface physical port. If desired, enter a different Management Interface physical port.

Step 6 Enter the Primary DHCP Server IP address.

The Primary DHCP Server text box contains the default Management Interface primary DHCP server IP address. If necessary, enter a valid primary DHCP server IP address for the Management Interface.

Step 7 Enter the secondary DHCP server box.

The Secondary DHCP Server text box contains the default Management Interface secondary DHCP server IP address. If necessary, enter a valid secondary DHCP server IP address for the Management Interface.

Step 8 Click Next to have the controller save your inputs and display the Miscellaneous Configuration page, in which you will configure some Cisco WLAN Solution parameters.

Redundancy ConfigurationTo configure High Availabilty between two controllers, follow these steps:

Step 1 Configure the management IP address of both the controllers.

Note Before enabling redundancy, ensure that the management IP address of both the controllers are in the same subnet.

Step 2 Enter yes to enable HA.

Step 3 Configure the primary and secondary unit.

Step 4 Configure the Redundant Management and Peer Redundant Management IP address.

Note Both the interfaces should be in same subnet as the Management interface.



Miscellaneous ConfigurationTo perform the miscellaneous configuration, follow these steps:

Step 1 Enter the RF Mobility Domain Name.

The RF Mobility Domain Name text box contains the default RF Mobility Domain Name. If desired, enter a different RF mobility domain name.

Step 2 Enter the country code in the Country Code text box.

The Country Code text box contains the current country code. If desired, enter a different country code.

Step 3 Click Next to have the controller save your inputs and display the Virtual Interface Configuration page, in which you will configure the Virtual Interface parameters.

Virtual Interface ConfigurationTo configure the virtual interface, follow these steps:

Step 1 Enter the IP address.

The IP Address text box contains the default Virtual Interface IP address. Enter a different virtual interface IP address. Note that the Virtual Interface uses any fictitious, unassigned IP address (such as 192.0.2.1), to be used by Layer 3 Security and Mobility managers.

Step 2 Enter the DNS host name.

The DNS Host Name text box contains a space for a Web Auth ID Certificate DNS Host Name. If the controller uses an externally-generated Web Auth ID Certificate that includes a DNS Host Name, enter the DNS Host Name here.

Step 3 Click Next to have the controller save your inputs and display the WLAN Policy Configuration page, in which you will configure the WLAN 1 parameters.

WLAN Policy ConfigurationTo configure the WLAN policy, follow these steps:

Note Refer to the Editing WLANs page for a description of these parameters.

Step 1 Enter the WLAN SSID in the WLAN SSID text box.

The WLAN SSID text box contains the current WLAN 1 SSID. If desired, enter a different SSID.

Step 2 Enter the radio policy you want to adopt in the Radio Policy text box.

The Radio Policy text box contains the default bands controlled by the WLAN 1 policy. If desired, enter a different WLAN 1 policy: 802.11a only, 802.11g only, 802.11b/g only, 802.11a/g only, or All.

Step 3 Enter the admin status in the Admin Status text box.



The Admin Status text box contains the default administrative status (unselected, or disabled). If desired, enable the WLAN 1 policy by selecting the Admin Status box.

Step 4 Enter the session timeout value in the Session Timeout text box.

The Session Timeout text box contains the default 802.11 session timeout (0, or no timeout). If desired, enter a different 802.11 session timeout in minutes.

Step 5 Enter the QoS value in the Quality of Service text box.

The Quality of Service (QoS) text box contains the default QoS status (Silver, or Best Effort QoS). If desired, enter a different QoS: Platinum = Voice, Gold = Video, Bronze = Background, or leave as Silver = Best Effort. VoIP clients should be set to Platinum, Gold or Silver, while low-bandwidth clients can be set to Bronze.

Step 6 Set the AAA Override status.

The Allow AAA Override text box contains the default AAA Override status (unselected, or disabled). If desired, enable AAA Override by selecting the AAA Override box.

Step 7 Set the Blacklist Exclusion List Timeout.

The Blacklist Exclusion List Timeout text box contains the default client Exclusion List (blacklist) timeout status (selected, or enabled). If desired, disable Exclusion List (Blacklist) Timeout by unselecting the Blacklist Timeout box.

Step 8 Enter the number of seconds a client is added to the Exclusion List (blacklisted) after you fail to authenticate three consecutive times.

Step 9 Set the DHCP Server Override.

The DHCP Server Override text box contains the current status (unselected or disabled). If desired, enable DHCP Server Override by selecting the Override box.

Step 10 Set the DHCP Addr. Assignment.

The DHCP Addr. Assignment Required text box contains the current status (unselected or not required). If desired, enable DHCP Address Assignment Required parameter by selecting the Required box.

Step 11 Enter the Interface Name.

The Interface Name text box contains the current WLAN 1 Interface (management). Leave this setting unchanged.

Step 12 Enter the Layer 2 Security.

The Layer 2 Security text box contains the default Layer 2 Security setting (802.1X). If desired, select a different Layer 2 Security setting: None, WPA, 802.1X, Static WEP, Cranite, or Fortress. Refer to the Editing WLANs page for a description of these parameters and the related parameters that can be set for Layer 2 Security.

Step 13 Enter the Layer 3 Security.

The Layer 3 Security text box contains the default Layer 3 Security setting (None). If desired, select a different Layer 3 Security setting: None, IPSec, or VPN Pass Through. Refer to the Editing WLANs page for a description of these parameters and the related parameters that can be set for Layer 3 Security.

Step 14 Click Next to have the controller save your inputs and display the RADIUS Server Configuration page, in which you will configure the RADIUS server parameters.



RADIUS Server ConfigurationIf you do not want to configure a RADIUS server at this time, click Skip to ignore this section, and continue with the 802.11 Configuration section. If you do want to configure a RADIUS server, continue with this section.

To configure a RADIUS server, follow these steps:

Step 1 Enter the RADIUS server IP.

If required, enter a RADIUS server IP address.

Step 2 Enter the RADIUS Server Shared Secret password in the Shared Secret and Confirm Shared Secret text box.

Step 3 Enter the communication port number in the Port Number text box.

The Port Number text box contains the default communication port number (1812). If required, enter a different, unused communication port number.

Step 4 Set the RADIUS server status.

The Server Status text box contains the default RADIUS server status (Disabled). If desired, enable the RADIUS configuration by choosing Enabled.

Step 5 Click Apply to have the controller save your inputs and display the 802.11 Configuration page, in which you will activate or deactivate the different 802.11 bands and the Radio Resource Management (RRM) (RRM software).

802.11 ConfigurationTo configure 802.11 parameters, follow these steps:

Step 1 Set the 802.11a network status by selecting the Network Status check box.

The 802.11a Network Status check box contains the current status (unselected = disabled). If desired, select the box to activate the 802.11a Network in the Cisco WLAN Solution.

Step 2 Set the 802.11b network status by selecting the Network Status check box.

The 802.11b Network Status check box contains the current status (unselected = disabled). If desired, select the Network Status check box to activate the 802.11b Network in the Cisco WLAN Solution.

Step 3 Set the 802.11g network status by selecting the Network Status check box.

The 802.11g Network Status check box contains the current status (unselected = disabled). If desired, select the Network Status check box to activate the 802.11g Network in the Cisco WLAN Solution.

Step 4 Select the Radio Resource Management check box to enable RRM.

The Radio Resource Management check box contains the current Radio Resource Management, or Radio Resource Management, status (selected = enabled). If desired, unselect the box to disable the Radio Resource Management dynamic channel number and transmit power level assignment functions.

Step 5 Click Next to have the controller save your inputs and display the Configuration Wizard Completed page, in which the controller saves your changes in nonvolatile RAM and reboots the controller.



Completing the Configuration WizardTo complete the configuration, follow these steps:

Step 1 Click the Save and Reboot button to have the controller save your changes in nonvolatile RAM and reboot. The operating system prompts you to confirm the operation.

Step 2 Click OK to continue. You have configured the controller using the Web User Interface.


C H A P T E R 9
Notices and Disclaimers
This topic contains notices and disclaimers that pertain to the Cisco Wireless Controller.

NoticesThe following notices pertain to this software license:

• OpenSSL/Open SSL Project

• License Issues

OpenSSL/Open SSL ProjectThis product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

This product includes cryptographic software written by Eric Young ([email protected]).

This product includes software written by Tim Hudson ([email protected]).

License IssuesThe OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact [email protected].

OpenSSL License:

Copyright © 1998-2007 The OpenSSL Project. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.


http://www.openssl.org/

Chapter 9 Notices and Disclaimers Notices

3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)”.

4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].

5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)”.

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson ([email protected]).

Original SSLeay License:

Copyright © 1995-1998 Eric Young ([email protected]). All rights reserved.

This package is an SSL implementation written by Eric Young ([email protected]).

The implementation was written so as to conform with Netscapes SSL.

This library is free for commercial and noncommercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson ([email protected]).

Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the following acknowledgement:

“This product includes cryptographic software written by Eric Young ([email protected])”.




Chapter 9 Notices and Disclaimers Disclaimers

The word ‘cryptographic’ can be left out if the routines from the library being used are not cryptography-related.

4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson ([email protected])”.

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].

DisclaimersAll third party trademarks are the property of their respective owners.


Chapter 9 Notices and Disclaimers Disclaimers


using the cisco wireless controller (cisco wlc) web user ...the summary page provides a top level...

Documents